Tryhackme - Steel Mountain (考点:hfs2.3 & unquoted service paths提权)

原创 于 2020-05-26 11:02:39 发布
· 1k 阅读 · 0 ·
版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

本文详细介绍了在Tryhackme平台上的Steel Mountain靶机中,如何通过扫描发现HFS2.3服务漏洞,并利用该漏洞获取shell。接着,通过winpeas和powerup工具扫描到unquoted service paths漏洞,最终利用该漏洞进行提权,成功拿下系统。提权过程中涉及文件上传、服务重启和路径混淆等关键步骤。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

1 扫描

普通扫nmap -A ip地址,结果太少,没什么突破口。
再全局扫。nmap全局扫太慢,所以用masscan,然后再用nmap扫前者扫出的端口就行了。
8080那个http写着是hfs2.3服务,靶机做多了就知道这有个漏洞,参考靶机optimum

C:\root> masscan -p1-65535,U:1-65535 10.10.17.99 --rate=1000 -e tun0

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-05-26 00:51:49 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 5985/tcp on 10.10.17.99                                   
Discovered open port 49163/tcp on 10.10.17.99                                  
Discovered open port 139/tcp on 10.10.17.99                                    
Discovered open port 49162/tcp on 10.10.17.99                                  
Discovered open port 135/tcp on 10.10.17.99                                    
Discovered open port 49154/tcp on 10.10.17.99                                  
Discovered open port 49157/tcp on 10.10.17.99                                  
Discovered open port 3389/tcp on 10.10.17.99                                   
Discovered open port 137/udp on 10.10.17.99                                    
Discovered open port 49152/tcp on 10.10.17.99                                  
Discovered open port 445/tcp on 10.10.17.99                                    
Discovered open port 49153/tcp on 10.10.17.99                                  
Discovered open port 49155/tcp on 10.10.17.99                                  
Discovered open port 80/tcp on 10.10.17.99                                     
Discovered open port 47001/tcp on 10.10.17.99                                  
Discovered open port 8080/tcp on 10.10.17.99                                   
C:\root> nmap -p5985,49136,139,49162,135,49154,49157,3389,137,49152,445,49153,49155,80,47001,8080 -A 10.10.17.99
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 20:56 EDT
Nmap scan report for 10.10.17.99
Host is up (0.26s latency).

PORT      STATE  SERVICE            VERSION
80/tcp    open   http               Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/html).
135/tcp   open   msrpc              Microsoft Windows RPC
137/tcp   closed netbios-ns
139/tcp   open   netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open   ssl/ms-wbt-server?
|_ssl-date: 2020-05-26T00:58:11+00:00; 0s from scanner time.
5985/tcp  open   http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                      
|_http-title: Not Found                                                                                                                                          
8080/tcp  open   http               HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
47001/tcp
最低0.47元/天 解锁文章
冬萍子
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值