image-20220406135220033
直接访问80是个iis静态端口,于是查看svn。
svn ls svn://ip #list
svn log svn://ip #Commit history
svn checkout svn://ip #Download the repository
svn up -r 2 #Go to revision
image-20220406135335294
多个版本匹配之后发现deploy.ps1里泄露了账号密码,最新版本里的moved.txt表明了密码复用的子域名,丢到hosts绑定直接登录。
image-20220406135449121
根据仓库确定可控的子域名地址,上传webshell。
image-20220406135748866
从master新建分支123,上传aspx马然后创建拉取请求,等待合并结束访问即可获得webshell。
image-20220406174519232
然后whoami发现是iis apppool\defaultapppool,二话不说直接土豆家族(EfsPotato)结束战斗。(这里直接读取root.txt失败了,于是便新建个用户evil-winrm上去了)
image-20220406184221713
image-20220406184633529
image-20220406184811084
这显然不是很符合题目本来的考点,毕竟拿到的是iis的权限但user.txt却在robisl上面,加上5985不会白开,我们再换个思路做一次。
反手丢个winpeas,开始思考配置问题,看了一圈点太多了就决定先看看特殊目录,然后直接发现目标。
image-20220406190222066
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday