基本信息

端口扫描

就一个80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -sC -sV 10.10.10.14
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 15:35 CST
Nmap scan report for 10.10.10.14
Host is up (0.069s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods:
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Thu, 24 Dec 2020 07:36:12 GMT
|   Server Type: Microsoft-IIS/6.0
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.41 seconds

80

IIS 6.0,默认建设中页面:

#CVE-2017-7269

搜索得到:

msf有模块直接一键打,拿到的是network service权限shel(因为是BOF,很容易把服务打挂,显示错误就reset机器吧)l:

提权信息

然后直接用local_exploit_suggester:

提权

随便选一个,打就完事了,打之前需要mighrate到一个标准进程:

打完之后我们的service shell就变成system了:

flags

然后直接去读取flag:

1
2
3
4
5
6
7
8
9
10
11
meterpreter > search -f user.txt
Found 1 result...
    c:\Documents and Settings\Harry\Desktop\user.txt (32 bytes)
meterpreter > search -f root.txt
Found 1 result...
    c:\Documents and Settings\Administrator\Desktop\root.txt (32 bytes)
meterpreter >
meterpreter > cd 'C:\Documents and Settings'

cat Harry/Desktop/user.txt
cat Administrator/Desktop/root.txt

参考资料