靶机getshell

00 前言

某次靶机getshell过程

1. 信息收集

01. nmap扫描

首先对靶机进行nmap全端口版本识别扫描

扫描结果如下:点击跳转

从nmap扫描,以及配合访问,发现了82,84,85端口是可以访问,有网站存在的

接下来进行子目录爆破看看后台在哪

02. 扫描子目录

对两个网站进行子目录爆破,第三个85端口已经有登录处了,故跳过

82端口扫描结果

84端口扫描结果

03. 后续操作

从两个网站后台进去,基本都是弱密码,如果不是,可以考虑用暴力破解,这里就派的上用场了

82端口的后台登录在/system/ 84端口在/admin/

2. 漏洞挖掘

我们的思路是找到上传点,把马上传上去

我们进入了85后台之后,发现了上传点如下
上传点

我们成功把马上传上去之后,可以在info里找到它的路径,或者从后台内容管理的地方中找出来。

后台路径观察

后台内容管理

连上菜刀成功

3. 提权

网上找了找资料,发现SecWiki的提权工具最好用,附上链接

用法:通过原来上传的地方把提权工具上传上去,然后直接运行命令即可

截图如下

提权截图

之后是干啥都行了,留后门以及清除痕迹的这些东西以后遇到了再进行补充


nmap扫描结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~# nmap -sV -p- -n 192.168.241.131
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-21 14:21 CST
Nmap scan report for 192.168.241.131
Host is up (0.00049s latency).
Not shown: 65515 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Microsoft Windows XP telnetd
80/tcp open http Apache httpd 2.2.15 ((Win32) PHP/5.3.15)
82/tcp open http Microsoft IIS httpd 7.0
84/tcp open http Microsoft IIS httpd 7.0
85/tcp open http Microsoft IIS httpd 7.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: WORKGROUP)
1433/tcp open ms-sql-s Microsoft SQL Server 2008 10.00.1600; RTM
2383/tcp open ms-olap4?
3306/tcp open mysql MySQL 5.5.27
3389/tcp open ssl/ms-wbt-server?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:01:46:FB (VMware)
Service Info: Host: IIS70-CN; OSs: Windows XP, Windows; CPE: cpe:/o:microsoft:windows_xp, cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.96 seconds

82端口扫描结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

λ python dirsearch.py -u http://192.168.241.131:82 -e asp

_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: asp | Threads: 10 | Wordlist size: 6064

Error Log: C:\Users\Elliot\OneDrive\桌面\同步文件夹\靶机渗透\dirsearch\logs\errors-19-04-21_14-32-56.log

Target: http://192.168.241.131:82

[14:32:56] Starting:
[14:32:56] 403 - 312B - /%2e%2e/google.com
[14:32:56] 400 - 324B - /%ff/
[14:33:05] 301 - 163B - /aspnet_client -> http://192.168.241.131:82/aspnet_client/
[14:33:05] 200 - 0B - /asp.aspx
[14:33:07] 301 - 153B - /css -> http://192.168.241.131:82/css/
[14:33:07] 301 - 158B - /database -> http://192.168.241.131:82/database/
[14:33:07] 403 - 1KB - /database/
[14:33:09] 301 - 155B - /image -> http://192.168.241.131:82/image/
[14:33:09] 301 - 156B - /images -> http://192.168.241.131:82/images/
[14:33:09] 301 - 156B - /Images -> http://192.168.241.131:82/Images/
[14:33:09] 301 - 157B - /include -> http://192.168.241.131:82/include/
[14:33:09] 403 - 1KB - /include/
[14:33:10] 200 - 23KB - /index.asp
[14:33:17] 301 - 156B - /system -> http://192.168.241.131:82/system/
[14:33:17] 200 - 4KB - /system/
[14:33:18] 403 - 2KB - /Trace.axd
[14:33:19] 500 - 3KB - /WebResource.axd?d=LER8t9aS

Task Completed

84端口扫描结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

λ python dirsearch.py -u http://192.168.241.131:84 -e asp

_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: asp | Threads: 10 | Wordlist size: 6064

Error Log: C:\Users\Elliot\OneDrive\桌面\同步文件夹\靶机渗透\dirsearch\logs\errors-19-04-21_14-38-10.log

Target: http://192.168.241.131:84

[14:38:10] Starting:
[14:38:10] 403 - 312B - /%2e%2e/google.com
[14:38:10] 400 - 324B - /%ff/
[14:38:13] 301 - 157B - /aboutus -> http://192.168.241.131:84/aboutus/
[14:38:14] 301 - 155B - /ADMIN -> http://192.168.241.131:84/ADMIN/
[14:38:14] 301 - 155B - /admin -> http://192.168.241.131:84/admin/
[14:38:14] 301 - 155B - /Admin -> http://192.168.241.131:84/Admin/
[14:38:14] 500 - 0B - /admin%20/
[14:38:14] 200 - 385B - /a%5c.aspx
[14:38:14] 200 - 390B - /admin.aspx
[14:38:14] 500 - 0B - /admin.
[14:38:14] 200 - 540B - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[14:38:14] 200 - 506B - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[14:38:14] 200 - 500B - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[14:38:14] 200 - 492B - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[14:38:15] 200 - 6KB - /admin/
[14:38:15] 200 - 6KB - /admin/?/login
[14:38:17] 200 - 386B - /asp.aspx
[14:38:17] 301 - 163B - /aspnet_client -> http://192.168.241.131:84/aspnet_client/
[14:38:17] 200 - 394B - /aspxspy.aspx
[14:38:19] 200 - 479B - /ckeditor/ckfinder/core/connector/aspx/connector.aspx
[14:38:19] 200 - 392B - /cmdasp.aspx
[14:38:19] 301 - 157B - /content -> http://192.168.241.131:84/content/
[14:38:20] 301 - 158B - /Download -> http://192.168.241.131:84/Download/
[14:38:20] 301 - 158B - /download -> http://192.168.241.131:84/download/
[14:38:21] 200 - 527B - /fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[14:38:21] 200 - 493B - /fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[14:38:21] 200 - 487B - /fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[14:38:21] 200 - 479B - /fckeditor/editor/filemanager/upload/aspx/upload.aspx
[14:38:21] 200 - 402B - /file_upload.aspx
[14:38:22] 200 - 506B - /includes/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[14:38:22] 200 - 512B - /includes/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[14:38:22] 200 - 498B - /includes/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[14:38:22] 200 - 546B - /includes/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[14:38:23] 200 - 10KB - /index.html
[14:38:23] 200 - 394B - /install.aspx
[14:38:23] 301 - 157B - /install -> http://192.168.241.131:84/install/
[14:38:23] 301 - 157B - /Install -> http://192.168.241.131:84/Install/
[14:38:23] 301 - 157B - /INSTALL -> http://192.168.241.131:84/INSTALL/
[14:38:23] 301 - 163B - /international -> http://192.168.241.131:84/international/
[14:38:23] 200 - 271B - /install/
[14:38:23] 301 - 152B - /js -> http://192.168.241.131:84/js/
[14:38:24] 301 - 153B - /log -> http://192.168.241.131:84/log/
[14:38:27] 301 - 154B - /plus -> http://192.168.241.131:84/plus/
[14:38:28] 500 - 0B - /rating_over.
[14:38:28] 301 - 157B - /release -> http://192.168.241.131:84/release/
[14:38:28] 200 - 496B - /scripts/ckeditor/ckfinder/core/connector/aspx/connector.aspx
[14:38:29] 200 - 394B - /service.asmx
[14:38:30] 200 - 386B - /spy.aspx
[14:38:31] 301 - 158B - /template -> http://192.168.241.131:84/template/
[14:38:31] 200 - 388B - /test.aspx
[14:38:31] 200 - 433B - /Trace.axd
[14:38:31] 200 - 450B - /umbraco/webservices/codeEditorSave.asmx
[14:38:32] 200 - 392B - /upload.aspx
[14:38:32] 301 - 154B - /user -> http://192.168.241.131:84/user/
[14:38:32] 500 - 0B - /WEB-INF./web.xml
[14:38:32] 200 - 367B - /WebResource.axd?d=LER8t9aS
[14:38:40] 302 - 158B - /user/ -> http://192.168.241.131:84/user/login.aspx

Task Completed

-------------本文结束  感谢您的阅读-------------