TryHackMe-Blaster

靶机链接:Blaster

靶机难度:简单

这是靶机TryHackMe-Ice的后续.

扫描之后发现,目标主机打开了2个端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]:~# nmap -sV -p- -T5 10.10.117.185
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-05 05:46 UTC
Nmap scan report for ip-10-10-117-185.eu-west-1.compute.internal (10.10.117.185)
Host is up (0.00050s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 02:C6:A6:1B:9B:4E (Unknown)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.03 seconds

浏览网站后发现是网站运行的是IIS服务.
用dirb扫描目录后发现隐藏目录/retro

进去访问后,发现是个wordpress博客,通过浏览帖子的方式收集到用户名和密码.
使用rdp登录上去,通过查看浏览器历史记录,和回收站记录.发现存在可绕过UAC漏洞.

绕过教程:
漏洞复现教程:Ytb

成功利用之后会打开一个cmd终端,在这个终端里面,我们就是管理员了.最终拿到flag

root