Skip to main content

Retro

端口扫描

root@ip-10-10-106-53:~/retro# nmap -sTCV -p 80,3389,5985 --min-rate 1000 10.10.183.243

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-17 15:15 BST
Nmap scan report for ip-10-10-183-243.eu-west-1.compute.internal (10.10.183.243)
Host is up (0.00018s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2023-10-16T14:11:50
|_Not valid after:  2024-04-16T14:11:50
|_ssl-date: 2023-10-17T14:16:08+00:00; -1s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
MAC Address: 02:14:75:33:57:6D (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.72 seconds

80

root@ip-10-10-106-53:~/retro# gobuster dir -u http://10.10.183.243/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.183.243/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,txt
[+] Timeout:        10s
===============================================================
2023/10/17 15:17:28 Starting gobuster
===============================================================
/retro (Status: 301)
/Retro (Status: 301)
===============================================================
2023/10/17 15:19:25 Finished
===============================================================

进行目录扫描之后我访问新发现的目录站点, 在观察其网页源代码时我发现一些特殊之处,从显示告诉我这是一个 wordpress 站点

image-20240709195424351

接着我开始了一系列的枚举:

  • 一个用户 : wade
  • 从网站的评论中收集到一个密码 : parzival

经过确认发现其对应的就是我们的 wade 用户的密码, 之后访问 wordpress 用户界面发现 wade 就是管理员用户, 在此可以直接编写 Shell 来进行获取 Shell, 但是要注意使用 windows-php-reverse-shell

后渗透

iusr

image-20240709195511855

Wade

我们可以使用得到的密码进行 RDP 的远程连接

[root@jtz Desktop]# xfreerdp /v:10.10.183.243 /u:wade /p:parzival

image-20240709195526188

wade —> system

之后我们可以发现存在一个浏览器, 一般来说这里可能存在一个密码, 当我访问之后我发现其中有一个 CVE 我感觉这就是突破口

image-20240709195552897

搜寻后发现这是一个 UAC 的权限提升漏洞, 参考 EXP https://github.com/jas502n/CVE-2019-1388进行操作最终得到了 system 的权限

image-20240709195541623