image-20220406135220033

直接访问80是个iis静态端口，于是查看svn。

svn ls svn://ip #list
svn log svn://ip #Commit history
svn checkout svn://ip #Download the repository
svn up -r 2 #Go to revision

image-20220406135335294

多个版本匹配之后发现deploy.ps1里泄露了账号密码，最新版本里的moved.txt表明了密码复用的子域名，丢到hosts绑定直接登录。

image-20220406135449121

根据仓库确定可控的子域名地址，上传webshell。

image-20220406135748866

从master新建分支123,上传aspx马然后创建拉取请求，等待合并结束访问即可获得webshell。

image-20220406174519232

然后whoami发现是iis apppool\defaultapppool，二话不说直接土豆家族(EfsPotato)结束战斗。（这里直接读取root.txt失败了，于是便新建个用户evil-winrm上去了）

image-20220406184221713

image-20220406184633529

image-20220406184811084

这显然不是很符合题目本来的考点，毕竟拿到的是iis的权限但user.txt却在robisl上面，加上5985不会白开，我们再换个思路做一次。

反手丢个winpeas,开始思考配置问题，看了一圈点太多了就决定先看看特殊目录，然后直接发现目标。

image-20220406190222066

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday