Hackthebox:Granny Walkthrough(not use metasploit)

本文档详细记录了利用CVE-2017-7269攻击IIS 6.0 WebDAV漏洞的过程,包括信息收集、漏洞利用和提权。通过nikto、nmap和davtest等工具,最终成功上传并执行jsp马,然后利用Windows Exploit Suggester找到提权漏洞,完成攻击。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

预备知识

nikto、nmap、iis6.0的webdav、davtest、kali自带webshell、

信息收集

nmap 10.10.10.15

只开了个80端口,那么还是web,浏览器访问目标机器

直接就是报错页面,迷惑,不过可知服务器是iis

扫了下目录,毫无思路,nmap扫下漏洞

nmap -script=vuln 10.10.10.15

还是没什么发现

nikto 扫一下,这次的信息就多了

nikto -h http://10.10.10.15

+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
+ OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server.
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV

服务器是iis6.0,google iis6.0 exploit

找到了Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow ,CVE:
2017-7269 而且本机器正好有DAV

dav可以用davtest测试

davtest -url http://10.10.10.15

测试结果如下

********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.15
********************************************************
NOTE    Random string for this session: a6GgkBw
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://10.10.10.15/DavTestDir_a6GgkBw
********************************************************
 Sending test files
PUT     pl      SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.pl
PUT     jhtml   SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.jhtml
PUT     jsp     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.jsp
PUT     asp     FAIL
PUT     cfm     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.cfm
PUT     php     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.php
PUT     txt     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.txt
PUT     cgi     FAIL
PUT     shtml   FAIL
PUT     aspx    FAIL
PUT     html    SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.html
********************************************************
 Checking for test file execution
EXEC    pl      FAIL
EXEC    jhtml   FAIL
EXEC    jsp     FAIL
EXEC    cfm     FAIL
EXEC    php     FAIL
EXEC    txt     SUCCEED:        http://10.10.10.15/DavTestDir_a6GgkBw/davtest_a6GgkBw.txt
EXEC    html    SUCCEED:        http://10.10.10.15/DavTestDir_a6
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值